Glossary

Core concepts

Group

A ransomware group or data-extortion collective tracked by RansomLook. Groups usually operate one or more leak sites, file servers and communication channels.

Actor

A named individual or pseudonym (threat actor, developer, affiliate, broker, admin, etc.) related to ransomware or data-extortion activity.

Victim / Post

A single entry published by a group about a targeted organisation. In RansomLook this is usually stored as a “post” and is associated with one group and one discovery timestamp.

RaaS (Ransomware-as-a-Service)

Operating model where a core team develops the ransomware and infrastructure, while affiliates perform intrusions and share the profits.

Infrastructure types

DLS (Dedicated Leak Site / Darknet Leak Site)

Tor-based website operated by a group to list victims and publish stolen data when ransoms are not paid. This is the main “blog” used for extortion pressure.

FS (File Server / File Storage)

Infrastructure used to host or distribute stolen data (archives, samples, full dumps). This can be a separate Tor service, a clearnet file host, or another storage endpoint distinct from the public DLS.

Chat

Communication endpoints used for negotiation or contact with victims and affiliates. This includes web-based chat on Tor portals, Telegram channels, X/Twitter accounts, email and other messaging systems.

Admin / Affiliates panel

Administrative or affiliate-focused infrastructure that is not intended for public victim browsing. Typical examples: recruitment panels for affiliates, management portals for campaigns, internal status or payment pages.

Relay / Mirror

A technical copy of a group’s site (DLS, FS, chat portal, admin panel) accessible at a different domain or onion address. RansomLook tracks each relay or mirror as a separate location, with its own online/offline status.

Slug

Normalised name used internally to build URLs for a specific location of a group (for example a particular DLS, FS or chat endpoint). Slugs are used to create deterministic filenames and links.

Private location

A location (DLS, FS, chat, admin) that is stored in the database but intentionally not displayed to unauthenticated visitors. It is still used for scraping, monitoring and metrics.

Data and metrics

Parser

Piece of code dedicated to a specific group or site. The parser extracts structured data from HTML pages (victim name, sector, country, dates, etc.) and populates the internal database.

Discovery date / Discovered

Timestamp at which RansomLook first observed a victim post on a group’s infrastructure. It may differ from the original intrusion or encryption date.

Leak / Dataleak

Public dataset containing credentials or other information exposed in previous breaches. RansomLook integrates external leak databases for enrichment and pivoting.

Ransomware notes / Ransom notes

Text files or HTML pages left on compromised systems by ransomware operators. RansomLook indexes ransom notes from external sources to help identify families and operations.

Crypto address / Wallet

Cryptocurrency address controlled or used by a group or affiliate to receive ransom payments. These addresses are monitored and correlated with known ransomware activity.

Ecosystem and sources

Markets / Forums

Darknet or clearnet platforms where actors trade access, data, tools or services. RansomLook tracks these as separate entities from ransomware groups, with their own relays and metrics.

RF Dumps / Recorded Future

Optional private integration providing additional leak information and dumps from Recorded Future. When enabled, it appears as an extra data source in RansomLook.

Onion service (Tor)

Hidden service accessible through the Tor network. Most DLS, FS and negotiation panels are onion services, sometimes with multiple relays or versions.

v3 onion

Current version of Tor hidden service addresses (56-character .onion domains). RansomLook tracks onion versions to better classify and monitor infrastructure changes.

Relationships

Affiliates

External operators who work with a core ransomware group or service. Affiliates perform intrusions, deploy ransomware and share a percentage of the ransom with the core operators.

Peers

In the actor model, “peers” are other actors linked to a given individual or pseudonym. This can represent collaboration, shared infrastructure or repeated co-appearance in the same operations.

Groups / Forums (relations)

Links between one actor and multiple groups or markets. RansomLook stores these relations so users can explore which actors appear to operate across which ecosystems.