Ransomware Notes

The Ransomware Notes tab provides direct visibility into the messages left behind by ransomware groups after an attack. These notes are critical because they contain the attacker’s instructions, threats, and demands. In the dark web, ransomware groups publish these notes to pressure victims into paying ransoms or to announce that sensitive data has been stolen.

Instead of relying on fragmented intelligence, you get direct access to the actual notes, giving you unmatched visibility into ransomware tactics.

How It Works

  • At the top, you have a search bar where you can enter:

    • The keyword of a ransomware family (e.g., Conti, Lockbit).

    • Or even a snippet of text from a ransom note you found on your systems.

    This makes it possible to quickly identify the ransomware family based on the ransom message you received. For example, if your system is infected and you’re unsure which ransomware it is, you can paste part of the message into the search, and the system will map it to the correct group.

  • Below, you see a cloud of ransomware group names (like lockbit3, clop, everest, icefire, blackbasta). These represent the ransomware families tracked by the system. Clicking on any name immediately displays the exact ransom note that group leaves behind.

Detailed Note View

When you click on a ransomware family (for example, icefire), the system shows the full ransom note content:

  • Threat Message – The attacker announces the system has been encrypted and data stolen.

  • Instructions – Steps for the victim to follow, such as downloading Tor Browser, visiting a hidden onion site, or contacting attackers.

  • Credentials or IDs – Unique identifiers, usernames, or passwords given to the victim.

  • Warnings – Attackers often threaten that attempts to recover files without paying will cause permanent data loss.

  • Ransom Conditions – Notes sometimes mention deadlines, prices, or penalties if payment is delayed.

This allows you to see the exact communication style of the ransomware group, compare it against your own incident, and confirm attribution.

Why This Is Strong

What makes this capability extremely strong is:

  • Attribution Power – You can quickly identify which ransomware group infected your system based solely on the ransom message.

  • Faster Incident Response – By knowing the exact ransomware family, defenders can access recovery guides, decryptor availability, and understand the attacker’s known behavior.

  • Threat Intelligence – Security teams can analyze and compare notes across groups to see how extortion tactics evolve over time.

PreviousRansomware VictimsNextRansomware Groups

Last updated

Was this helpful?