Ransomware Overview

The Ransomware Overview tab provides organizations with a high-level snapshot of global ransomware activity. Since ransomware campaigns are often planned, coordinated, and advertised in the dark web, this section leverages intelligence gathered from underground forums, leak sites, and hidden marketplaces. By correlating this information with real-world attack telemetry, the system ensures that you stay ahead of evolving ransomware threats.

This tab is not just about numbers it gives actionable visibility into how many victims have been impacted, how many threat groups are active, and how the trend evolves month by month. It bridges the intelligence gap between what’s happening in the dark web and the real attacks hitting businesses worldwide.

Ransomware Intelligence Summary

• Victims

  This represents the total number of ransomware victims recorded in the system across all years. It gives a complete picture of the global scale of ransomware activity detected and tracked.

• Groups

  Indicates the total number of distinct ransomware groups identified. Each group represents an organized cybercriminal entity operating on the dark web, giving security teams insight into the breadth of threat actors.

• Current Month Victims

  Shows the number of victims detected in the current month. This metric highlights ongoing and active ransomware campaigns, giving a real-time pulse of current attacks.

• Current Year Victims

  Reflects the cumulative number of victims reported in the current year. It allows organizations to measure the yearly impact of ransomware and compare trends with previous years.

Top 10 Ransomware in This Year

This visualization highlights the ten most active ransomware groups in the current year. For each group, the chart shows:

• Group Name – The ransomware group responsible for the attacks (e.g., akira, qilin, clop).

• Number of Victims – How many organizations or individuals were successfully targeted by that group this year.

Each group is represented with a distinct color, making it easy to visually differentiate between them. The pie chart format provides an at-a-glance view of which ransomware groups dominate the threat landscape, allowing analysts to quickly identify the most aggressive actors.

This representation is graphical (visual chart), not just raw numbers. It ensures that even with large datasets, trends are instantly clear helping security teams prioritize monitoring and defense against the most impactful groups.

Annually Ransomware Activity

This chart illustrates ransomware activity across a full year, helping teams monitor how threats evolve over time.

• X-Axis (Months of the Year) – Displays the months from the beginning to the end of the year.

• Y-Axis (Number of Ransomware Victims) – Represents how many ransomware incidents were detected in each month.

The line graph shows how ransomware activity rises and falls throughout the year:

• Some months record higher peaks, indicating periods when ransomware campaigns were more aggressive and impacted a larger number of victims.

• Other months show declines, reflecting quieter periods with fewer detected incidents.

This visualization is powerful because it provides a yearly perspective of ransomware behavior, allowing security teams to:

• Identify seasonal patterns or recurring attack waves.

• Pinpoint high-risk periods where extra vigilance is needed.

• Understand the overall trend of ransomware incidents whether they are increasing, decreasing, or stabilizing year over year.

By looking at this chart, organizations gain not only raw numbers but also strategic insight into when ransomware groups are most active, strengthening preparedness and response planning.

Top 10 Targeted Sectors

This chart highlights the industries most frequently targeted by ransomware groups.

• Each bar represents a sector, with the length of the bar showing the number of victims.

• Colors are used to visually distinguish between sectors, making it easy to spot which industries are most impacted.

From the chart:

• Not Found – Represents attacks where the specific industry could not be identified.

• Business Services – The most clearly identified targeted sector, showing that attackers heavily exploit service providers.

• Manufacturing and Technology – Critical sectors often attacked due to their operational importance and high-value data.

• Other sectors such as Healthcare, Transportation, Agriculture, Financial, Government, and Education also appear, reflecting the broad range of industries under threat.

This visualization emphasizes that ransomware attacks are not limited to one field instead, they spread across industries, with a stronger focus on service-based and operational sectors.

Top 10 Targeted Countries

This chart shows the geographic distribution of ransomware victims.

• The donut chart in the center displays the total number of victims . Each colored segment corresponds to a country, with matching entries listed on the right.

• The Top 10 most affected countries.

Colors clearly separate each country, helping analysts immediately spot which nations suffer the highest ransomware concentration. This reinforces the global nature of ransomware, while showing which economies are most frequently attacked.

Number of Victims Per Month (Last 3 Years)

This line chart shows monthly ransomware victim trends over the past three years.

• Each year is represented with a different color line:

  • Yellow

  • Red

  • Beige

The X-axis shows months, while the Y-axis indicates the number of victims.

This visualization makes it easy to:

• Compare trends across years – For example, spikes or dips in certain months can reveal when ransomware groups are most active.

• Track seasonal patterns – Analysts can investigate why certain months (like February in 2025) show sharp increases.

• Assess year-over-year changes – Allowing organizations to see whether ransomware is accelerating or declining.

Global Victims Over Years

This block chart (heatmap-style) groups ransomware victims by ransomware family.

• Each block represents a ransomware group.

• The size of the block reflects the number of victims attributed to that group.

• The color intensity indicates ranges of victim counts:

  • Dark blue – 800+ victims (e.g., Lockbit3, Clop).

  • Medium blue – 500–799 victims.

  • Lighter shades – Decreasing victim ranges down to groups with fewer than 100 victims.

This visualization gives a clear hierarchy of which groups are the most dangerous and widespread globally.

For example:

• Lockbit3, Lockbit2, and Clop dominate with very large victim blocks.

• Other notable groups include Qilin, Play, Akira, and Alphv.

• Smaller blocks show lesser-known but still active ransomware groups.

It provides both scale and diversity making it clear which groups are industry leaders in attacks and how the ecosystem is fragmented among dozens of smaller actors.