pith. sign in

arxiv: 2605.24559 · v1 · pith:IWOXZRBCnew · submitted 2026-05-23 · 💻 cs.CR

Analyzing Concentration, Temporal Routines and Targeting in Public Ransomware Leak Site Data

Pith reviewed 2026-06-30 13:05 UTC · model grok-4.3

classification 💻 cs.CR
keywords ransomwaredata leak sitescybercrime analysisvictim targetingtemporal patternsactivity concentrationbehavioral traces
0
0 comments X

The pith

Ransomware groups show concentration of activity, temporal routines, and selective targeting in leak site posts rather than random behavior.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper builds a dataset of more than 27,000 posts from 325 ransomware groups on public leak sites and measures three aspects of their visible operations: how activity clusters among groups, how posts follow recurring time patterns, and how victims are chosen by sector or size. These measurements are offered as evidence that the groups follow observable regularities instead of acting without pattern. A sympathetic reader would care because such regularities, if real, could be used to anticipate where and when future posts are likely to appear and which organizations are at elevated risk.

Core claim

Analysis of the leak-site dataset indicates that ransomware groups concentrate their posts among a smaller number of active entities, exhibit recurring temporal patterns in when posts appear, and apply selective criteria when choosing which victims to publicize, rather than distributing activity uniformly or at random.

What carries the argument

A compiled dataset of over 27,000 leak-site posts attributed to 325 groups, used to quantify concentration, timing regularities, and targeting selectivity.

If this is right

  • If temporal routines hold, monitoring can be scheduled to coincide with likely posting windows.
  • Concentration implies that a small number of groups account for most visible activity and could be prioritized for tracking.
  • Selective targeting patterns suggest that certain industries or organization sizes face systematically higher exposure on these sites.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The observed patterns could be cross-checked against independent sources such as victim reports or law-enforcement seizures to test consistency.
  • If routines persist, automated alerts could be built around expected posting times or victim profiles.
  • Extending the dataset forward in time would show whether the same regularities continue or shift with changes in group composition.

Load-bearing premise

Public leak-site posts accurately reflect the groups' actual operational decisions and victim choices without significant bias or omission.

What would settle it

A new collection of leak-site posts from many groups that, when measured the same way, shows uniform random distribution across time slots, victim types, and group activity levels would falsify the reported regularities.

Figures

Figures reproduced from arXiv: 2605.24559 by 2), 2) ((1) Fraunhofer Institute for Secure Information Technology, (2) National Research Center for Applied Cybersecurity ATHENE), Lea M\"uller (1, York Yannikos (1.

Figure 1
Figure 1. Figure 1: Lorenz curve of victim concentration across ransomware groups 3.2 Temporal Behavior We analyzed the distribution of leak site posts over weekdays. Weekend-weekday ratio was 0.51, meaning that approximately 49% fewer leaks were posted on weekends than on weekdays [PITH_FULL_IMAGE:figures/full_fig_p008_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Daily averages of z-standardized ransomware incident counts. Values are z￾standardized within each year to control for long-term trends. Positive values indicate above-average activity, while negative values indicate below-average activity. Error bars represent 95% confidence intervals. mean. January demonstrates a negative deviation from the yearly mean. These findings suggest a possible seasonal componen… view at source ↗
Figure 3
Figure 3. Figure 3: Monthly averages of z-standardized ransomware incident counts. Values are z￾standardized within each year to control for long-term trends. Positive values indicate above-average activity relative to the respective yearly mean, while negative values indicate below-average activity. Error bars represent 95% confidence intervals. 0.15 0.10 0.05 0.00 0.05 0.10 0.15 Deviation from baseline United States of Amer… view at source ↗
Figure 4
Figure 4. Figure 4: Deviation of ransomware incident distribution from GDP baseline. Deviations illustrate the overrepresentation (positive deviation) and underrepresentation (negative deviation) in ransomware incidents relative to nations’ economic scale. Note: Figure only shows nations where deviation exceeds ±0.5% [PITH_FULL_IMAGE:figures/full_fig_p010_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: Sectoral distribution of incidents. (A) Relative number of incidents per sector. (B) Deviation of ransomware incident distribution from a sectoral baseline. Deviations illustrate the sectoral overrepresentation (positive deviation) and underrepresentation (negative deviation) in ransomware incidents relative to the baseline distribution. 4 Discussion We collected and curated a dataset of 27,629 unique leak… view at source ↗
read the original abstract

Ransomware has grown to become one of the most damaging types of cybercrime, affecting private and public organizations in any sector. While early types of ransomware targeted many victims via automated attacks, ransomware groups have started to specifically target organizations and companies in the expectation of receiving larger ransoms. To increase the pressure on victims, most groups host so-called data leak sites, where information about their victims is made public. The shift towards 'human-operated' ransomware together with easily accessible behavioral traces available from data leak sites makes research investigating operational regularities of ransomware groups of interest. Using leak site posts as behavioral traces of ransomware groups, we created a dataset consisting of over 27,000 posts from 325 groups. Based on this dataset, we analyzed victim concentration, temporal routines and targeting regularities. Our findings suggest that groups do not behave entirely random. Instead, the observable traces found on leak sites show concentration of activity, temporal routines and selective patterns.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 0 minor

Summary. The paper constructs a dataset of over 27,000 posts from 325 ransomware groups on public data-leak sites and analyzes these traces for patterns of victim concentration, temporal routines, and selective targeting. It concludes that the observable traces indicate groups do not behave entirely randomly but instead exhibit concentration of activity, temporal routines, and selective patterns.

Significance. If the central claim holds after addressing data-representativeness issues, the scale of the 27k-post dataset offers a useful empirical resource for studying ransomware operations. The work's strength lies in its use of publicly accessible behavioral traces to generate falsifiable observations about group-level regularities, which could inform both academic understanding and practical defenses if selection effects are properly bounded.

major comments (2)
  1. [Dataset construction] Dataset construction (as described in the abstract and implied methods): the central claim that leak-site posts reveal non-random operational behavior rests on the untested assumption that these posts form an unbiased sample of actual victimizations. No sampling frame, coverage estimate, or discussion of groups that avoid leak sites entirely is supplied, so observed regularities could be artifacts of disclosure policy rather than targeting decisions.
  2. [Abstract] Abstract: the headline findings on non-randomness are stated without any description of the statistical methods, controls for selection bias, error bars, hypothesis tests, or validation steps used to establish that the patterns deviate from randomness; this absence makes it impossible to evaluate whether the data support the claim.

Simulated Author's Rebuttal

2 responses · 1 unresolved

We thank the referee for the constructive comments. We address each major point below, clarifying the scope of our analysis on observable public traces while acknowledging data limitations inherent to leak-site data.

read point-by-point responses
  1. Referee: [Dataset construction] Dataset construction (as described in the abstract and implied methods): the central claim that leak-site posts reveal non-random operational behavior rests on the untested assumption that these posts form an unbiased sample of actual victimizations. No sampling frame, coverage estimate, or discussion of groups that avoid leak sites entirely is supplied, so observed regularities could be artifacts of disclosure policy rather than targeting decisions.

    Authors: The paper explicitly analyzes patterns in the 27,000+ publicly posted traces from groups that operate leak sites; it does not claim these form an unbiased sample of all ransomware victimizations. We will add an explicit limitations subsection stating that the dataset covers only groups using public disclosure and that groups avoiding leak sites are outside the observable scope. No coverage estimate for non-disclosing groups can be derived from public data. revision: partial

  2. Referee: [Abstract] Abstract: the headline findings on non-randomness are stated without any description of the statistical methods, controls for selection bias, error bars, hypothesis tests, or validation steps used to establish that the patterns deviate from randomness; this absence makes it impossible to evaluate whether the data support the claim.

    Authors: Abstracts conventionally omit detailed methods, but we agree a concise reference to the analytical approach would aid evaluation. We will revise the abstract to note that concentration, temporal, and targeting patterns were assessed via statistical tests against null models of randomness, with details and controls provided in the methods and results sections. revision: yes

standing simulated objections not resolved
  • No public data exists on ransomware groups that avoid leak sites, so a sampling frame or coverage estimate for the full population of groups cannot be supplied.

Circularity Check

0 steps flagged

No circularity: purely observational dataset analysis

full rationale

The paper constructs a dataset of >27k leak-site posts from 325 groups and reports descriptive patterns in concentration, temporal routines, and targeting. No equations, parameters, derivations, or predictions are defined; results are presented as direct empirical observations from the collected posts without any reduction of outputs to inputs by construction, fitted quantities renamed as predictions, or load-bearing self-citations. The work contains no mathematical chain that could exhibit the enumerated circularity patterns.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

Abstract supplies no explicit parameters, axioms, or new entities; the analysis implicitly rests on the domain assumption that leak-site posts faithfully record group behavior.

axioms (1)
  • domain assumption Leak site posts accurately reflect ransomware groups' targeting and operational decisions without significant selection or reporting bias
    Invoked when treating the 27,000 posts as behavioral traces

pith-pipeline@v0.9.1-grok · 5722 in / 1155 out tokens · 43307 ms · 2026-06-30T13:05:20.726286+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

33 extracted references · 17 canonical work pages

  1. [1]

    In: 2023 14th International Conference on Computing Communication and Networking Tech- nologies (ICCCNT)

    Aggarwal, M.: Ransomware Attack: An Evolving Targeted Threat. In: 2023 14th International Conference on Computing Communication and Networking Tech- nologies (ICCCNT). pp. 1–7 (Jul 2023). https://doi.org/10.1109/ICCCNT56998. 2023.10308249 16 L. Müller, Y. Yannikos

  2. [2]

    Computers & Security111, 102490 (2021)

    Beaman, C., Barkworth, A., Akande, T.D., Hakak, S., Khan, M.K.: Ransomware: Recent advances, analysis, challenges and future research directions. Computers & Security111, 102490 (2021). https://doi.org/10.1016/j.cose.2021.102490

  3. [3]

    In: 2024 APWG Symposium on Electronic Crime Re- search (eCrime)

    Cable, J., Gray, I.W., McCoy, D.: Showing the Receipts: Understanding the Mod- ern Ransomware Ecosystem. In: 2024 APWG Symposium on Electronic Crime Re- search (eCrime). pp. 149–161 (2024). https://doi.org/10.1109/eCrime66200.2024. 00017

  4. [4]

    Chainalysis Team: Crypto Ransomware: 2026 Crypto Crime Report (Feb 2026), https://www.chainalysis.com/blog/crypto-ransomware-2026/

  5. [5]

    European Union Agency for Cybersecurity (ENISA): ENISA Threat Landscape

  6. [6]

    rep., European Union Agency for Cybersecurity (2025)

    Tech. rep., European Union Agency for Cybersecurity (2025)

  7. [7]

    How encryption, proxies and AI are ex- pandingcybercrime–InternetOrganisedCrimeThreatAssessment(IOCTA)2026

    Europol: The evolving threat landscape. How encryption, proxies and AI are ex- pandingcybercrime–InternetOrganisedCrimeThreatAssessment(IOCTA)2026. Tech. rep., Publications Office of the European Union (2026). https://doi.org/10. 2813/5737847, https://data.europa.eu/doi/10.2813/5737847

  8. [8]

    Computers in Human Behavior181, 108953 (Aug 2026)

    Georgiou, M., Giebels, E., Oostinga, M.S.D., Spithoven, R.: Engaging with cyber- criminals: phases and influence strategies in ransomware negotiations. Computers in Human Behavior181, 108953 (Aug 2026). https://doi.org/10.1016/j.chb.2026. 108953

  9. [9]

    German Federal Office for Information Security (BSI): Die Lage der IT-Sicherheit in Deutschland 2022. Tech. Rep. BSI-LB22/511, German Federal Office for Infor- mation Security (BSI) (2022)

  10. [10]

    International Monetary Fund: GDP, current prices, https://www.imf.org/ external/datamapper/NGDPD@WEO

  11. [11]

    Internet Crime Complaint Center: Internet Crime Report 2025. Tech. rep., Fed- eral Bureau of Investigation (2025), https://www.ic3.gov/AnnualReport/Reports/ 2025_IC3Report.pdf

  12. [12]

    Janofsky, A.: Ransomware tracker: The latest figures [June 2024] (2024), https: //therecord.media/ransomware-tracker-the-latest-figures

  13. [13]

    Egyptian Informatics Journal30, 100665 (2025)

    Kim, K., Lee, S., Ramachandran, S., Alzahrani, I.: Cryptocurrency-driven ran- somware syndicates operating on the darknet: A focused examination of the Arab world. Egyptian Informatics Journal30, 100665 (2025). https://doi.org/10.1016/ j.eij.2025.100665

  14. [14]

    Deviant Behavior 46(9), 1088–1103 (Sep 2025)

    Martin, J., Whelan, C., Bright, D.: Ransomware HR: Human Resources Practices and Organizational Support in the Conti Ransomware Group. Deviant Behavior 46(9), 1088–1103 (Sep 2025). https://doi.org/10.1080/01639625.2024.2419905

  15. [15]

    Trends in Organized Crime (2023)

    Matthijsse, S.R., van ‘t Hoff-de Goede, M.S., Leukfeldt, E.R.: Your files have been encrypted: a crime script analysis of ransomware attacks. Trends in Organized Crime (2023). https://doi.org/10.1007/s12117-023-09496-z

  16. [16]

    Computers & Security92, 101762 (2020)

    Meland, P.H., Bayoumy, Y.F.F., Sindre, G.: The Ransomware-as-a-Service econ- omy within the darknet. Computers & Security92, 101762 (2020). https://doi. org/10.1016/j.cose.2020.101762

  17. [17]

    Microsoft Threat Intelligence: Human-operated ransomware attacks: A preventable disaster (Mar 2020), https://www.microsoft.com/en-us/security/blog/2020/03/ 05/human-operated-ransomware-attacks-a-preventable-disaster/

  18. [18]

    com/indexes/index-resources/gics

    MSCI: The Global Industry Classification Standard (GICS), https://www.msci. com/indexes/index-resources/gics

  19. [19]

    IET Networks7(5), 321–327 (2018)

    O’Kane, P., Sezer, S., Carlin, D.: Evolution of ransomware. IET Networks7(5), 321–327 (2018). https://doi.org/10.1049/iet-net.2017.0207 Analyzing Ransomware Leak Site Data 17

  20. [20]

    https://doi.org/10.1145/3514229

    Oz, H., Aris, A., Levi, A., Uluagac, A.S.: A Survey on Ransomware: Evolution, Taxonomy,andDefenseSolutions.ACMComputingSurveys54(11s),238:1–238:37 (2022). https://doi.org/10.1145/3514229

  21. [21]

    Global Crime26(2), 148–171 (2025)

    Paternoster, C., Nazzari, M., Jofre, M., Uberti, T.E.: Inside the leak: Exploring the structure of the Conti ransomware group. Global Crime26(2), 148–171 (2025). https://doi.org/10.1080/17440572.2025.2473350

  22. [22]

    Computers & Security160, 104705 (Jan 2026)

    Phipps, A., Nurse, J.R.: Inside ransomware groups: An analysis of their origins, structures, and dynamics. Computers & Security160, 104705 (Jan 2026). https: //doi.org/10.1016/j.cose.2025.104705

  23. [23]

    Security and Privacy7(6), e436 (2024)

    Raj, A., Narayan, V., Muskan, V., Sani, A., Sharma, P., Sarma, S.S.: Mod- ern ransomware: Evolution, methodology, attack model, prevention and miti- gation using multi-tiered approach. Security and Privacy7(6), e436 (2024). https://doi.org/10.1002/spy2.436

  24. [24]

    RansomLook: Ransomware group monitoring data, https://www.ransomlook.io/

  25. [25]

    ransomware.live/

    Ransomware.live: Ransomware leak site monitoring data, https://www. ransomware.live/

  26. [26]

    Digital Threats: Research and Practice7(1), 1–21 (Mar 2026)

    Rauf Ali Khan, M., Algaolahi, A., Binbeshr, F., Imam, M.: Sequence Learning over Behavioral Attack Patterns for Early Detection of Human-Operated Ransomware. Digital Threats: Research and Practice7(1), 1–21 (Mar 2026). https://doi.org/10. 1145/3786772

  27. [27]

    Sophos: Sophos 2024 Threat Report: Cybercrime on Main Street. Tech. rep., Sophos (2024), https://assets.sophos.com/X24WTUEQ/at/ wwf5phjtj9bjvmpqqsbfxc/sophos-2024-threat-report.pdf

  28. [28]

    spglobal.com/spdji/en/landing/topic/gics/

    S&P Global: GICS: Global Industry Classification Standard, https://www. spglobal.com/spdji/en/landing/topic/gics/

  29. [29]

    Bureau of Economic Analysis: Value Added by Industry (2026), https://www

    U.S. Bureau of Economic Analysis: Value Added by Industry (2026), https://www. bea.gov/itable/gdp-by-industry

  30. [30]

    Journal of Criminology57(1), 45–61 (2024)

    Whelan, C., Bright, D., Martin, J.: Reconceptualising organised (cyber)crime: The case of ransomware. Journal of Criminology57(1), 45–61 (2024). https://doi.org/ 10.1177/26338076231199793

  31. [31]

    Whelan, C., Bright, D., Martin, J., Jones, C., Dupont, B.: Analysing the evo- lution and activities of ransomware criminal groups. Tech. Rep. 01-21-22, Aus- tralian Institute of Criminology (Sep 2025). https://doi.org/10.52922/crg77963, https://www.aic.gov.au/crg/reports/crg-02-21-22

  32. [32]

    Global Crime26(2), 148–171 (2025)

    Whelan, C., Jones, C., Martin, J., Bright, D.A.: The internal structure of ran- somware criminal groups: an analysis of organisational units, functions, roles, and communication patterns within Conti. Global Crime0(0), 1–23 (2025). https: //doi.org/10.1080/17440572.2025.2534387

  33. [33]

    World Bank Group: GDP (current US$), https://data.worldbank.org/indicator/ NY.GDP.MKTP.CD