Analyzing Concentration, Temporal Routines and Targeting in Public Ransomware Leak Site Data
Pith reviewed 2026-06-30 13:05 UTC · model grok-4.3
The pith
Ransomware groups show concentration of activity, temporal routines, and selective targeting in leak site posts rather than random behavior.
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
Analysis of the leak-site dataset indicates that ransomware groups concentrate their posts among a smaller number of active entities, exhibit recurring temporal patterns in when posts appear, and apply selective criteria when choosing which victims to publicize, rather than distributing activity uniformly or at random.
What carries the argument
A compiled dataset of over 27,000 leak-site posts attributed to 325 groups, used to quantify concentration, timing regularities, and targeting selectivity.
If this is right
- If temporal routines hold, monitoring can be scheduled to coincide with likely posting windows.
- Concentration implies that a small number of groups account for most visible activity and could be prioritized for tracking.
- Selective targeting patterns suggest that certain industries or organization sizes face systematically higher exposure on these sites.
Where Pith is reading between the lines
- The observed patterns could be cross-checked against independent sources such as victim reports or law-enforcement seizures to test consistency.
- If routines persist, automated alerts could be built around expected posting times or victim profiles.
- Extending the dataset forward in time would show whether the same regularities continue or shift with changes in group composition.
Load-bearing premise
Public leak-site posts accurately reflect the groups' actual operational decisions and victim choices without significant bias or omission.
What would settle it
A new collection of leak-site posts from many groups that, when measured the same way, shows uniform random distribution across time slots, victim types, and group activity levels would falsify the reported regularities.
Figures
read the original abstract
Ransomware has grown to become one of the most damaging types of cybercrime, affecting private and public organizations in any sector. While early types of ransomware targeted many victims via automated attacks, ransomware groups have started to specifically target organizations and companies in the expectation of receiving larger ransoms. To increase the pressure on victims, most groups host so-called data leak sites, where information about their victims is made public. The shift towards 'human-operated' ransomware together with easily accessible behavioral traces available from data leak sites makes research investigating operational regularities of ransomware groups of interest. Using leak site posts as behavioral traces of ransomware groups, we created a dataset consisting of over 27,000 posts from 325 groups. Based on this dataset, we analyzed victim concentration, temporal routines and targeting regularities. Our findings suggest that groups do not behave entirely random. Instead, the observable traces found on leak sites show concentration of activity, temporal routines and selective patterns.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. The paper constructs a dataset of over 27,000 posts from 325 ransomware groups on public data-leak sites and analyzes these traces for patterns of victim concentration, temporal routines, and selective targeting. It concludes that the observable traces indicate groups do not behave entirely randomly but instead exhibit concentration of activity, temporal routines, and selective patterns.
Significance. If the central claim holds after addressing data-representativeness issues, the scale of the 27k-post dataset offers a useful empirical resource for studying ransomware operations. The work's strength lies in its use of publicly accessible behavioral traces to generate falsifiable observations about group-level regularities, which could inform both academic understanding and practical defenses if selection effects are properly bounded.
major comments (2)
- [Dataset construction] Dataset construction (as described in the abstract and implied methods): the central claim that leak-site posts reveal non-random operational behavior rests on the untested assumption that these posts form an unbiased sample of actual victimizations. No sampling frame, coverage estimate, or discussion of groups that avoid leak sites entirely is supplied, so observed regularities could be artifacts of disclosure policy rather than targeting decisions.
- [Abstract] Abstract: the headline findings on non-randomness are stated without any description of the statistical methods, controls for selection bias, error bars, hypothesis tests, or validation steps used to establish that the patterns deviate from randomness; this absence makes it impossible to evaluate whether the data support the claim.
Simulated Author's Rebuttal
We thank the referee for the constructive comments. We address each major point below, clarifying the scope of our analysis on observable public traces while acknowledging data limitations inherent to leak-site data.
read point-by-point responses
-
Referee: [Dataset construction] Dataset construction (as described in the abstract and implied methods): the central claim that leak-site posts reveal non-random operational behavior rests on the untested assumption that these posts form an unbiased sample of actual victimizations. No sampling frame, coverage estimate, or discussion of groups that avoid leak sites entirely is supplied, so observed regularities could be artifacts of disclosure policy rather than targeting decisions.
Authors: The paper explicitly analyzes patterns in the 27,000+ publicly posted traces from groups that operate leak sites; it does not claim these form an unbiased sample of all ransomware victimizations. We will add an explicit limitations subsection stating that the dataset covers only groups using public disclosure and that groups avoiding leak sites are outside the observable scope. No coverage estimate for non-disclosing groups can be derived from public data. revision: partial
-
Referee: [Abstract] Abstract: the headline findings on non-randomness are stated without any description of the statistical methods, controls for selection bias, error bars, hypothesis tests, or validation steps used to establish that the patterns deviate from randomness; this absence makes it impossible to evaluate whether the data support the claim.
Authors: Abstracts conventionally omit detailed methods, but we agree a concise reference to the analytical approach would aid evaluation. We will revise the abstract to note that concentration, temporal, and targeting patterns were assessed via statistical tests against null models of randomness, with details and controls provided in the methods and results sections. revision: yes
- No public data exists on ransomware groups that avoid leak sites, so a sampling frame or coverage estimate for the full population of groups cannot be supplied.
Circularity Check
No circularity: purely observational dataset analysis
full rationale
The paper constructs a dataset of >27k leak-site posts from 325 groups and reports descriptive patterns in concentration, temporal routines, and targeting. No equations, parameters, derivations, or predictions are defined; results are presented as direct empirical observations from the collected posts without any reduction of outputs to inputs by construction, fitted quantities renamed as predictions, or load-bearing self-citations. The work contains no mathematical chain that could exhibit the enumerated circularity patterns.
Axiom & Free-Parameter Ledger
axioms (1)
- domain assumption Leak site posts accurately reflect ransomware groups' targeting and operational decisions without significant selection or reporting bias
Reference graph
Works this paper leans on
-
[1]
Aggarwal, M.: Ransomware Attack: An Evolving Targeted Threat. In: 2023 14th International Conference on Computing Communication and Networking Tech- nologies (ICCCNT). pp. 1–7 (Jul 2023). https://doi.org/10.1109/ICCCNT56998. 2023.10308249 16 L. Müller, Y. Yannikos
-
[2]
Computers & Security111, 102490 (2021)
Beaman, C., Barkworth, A., Akande, T.D., Hakak, S., Khan, M.K.: Ransomware: Recent advances, analysis, challenges and future research directions. Computers & Security111, 102490 (2021). https://doi.org/10.1016/j.cose.2021.102490
-
[3]
In: 2024 APWG Symposium on Electronic Crime Re- search (eCrime)
Cable, J., Gray, I.W., McCoy, D.: Showing the Receipts: Understanding the Mod- ern Ransomware Ecosystem. In: 2024 APWG Symposium on Electronic Crime Re- search (eCrime). pp. 149–161 (2024). https://doi.org/10.1109/eCrime66200.2024. 00017
-
[4]
Chainalysis Team: Crypto Ransomware: 2026 Crypto Crime Report (Feb 2026), https://www.chainalysis.com/blog/crypto-ransomware-2026/
2026
-
[5]
European Union Agency for Cybersecurity (ENISA): ENISA Threat Landscape
-
[6]
rep., European Union Agency for Cybersecurity (2025)
Tech. rep., European Union Agency for Cybersecurity (2025)
2025
-
[7]
Europol: The evolving threat landscape. How encryption, proxies and AI are ex- pandingcybercrime–InternetOrganisedCrimeThreatAssessment(IOCTA)2026. Tech. rep., Publications Office of the European Union (2026). https://doi.org/10. 2813/5737847, https://data.europa.eu/doi/10.2813/5737847
-
[8]
Computers in Human Behavior181, 108953 (Aug 2026)
Georgiou, M., Giebels, E., Oostinga, M.S.D., Spithoven, R.: Engaging with cyber- criminals: phases and influence strategies in ransomware negotiations. Computers in Human Behavior181, 108953 (Aug 2026). https://doi.org/10.1016/j.chb.2026. 108953
-
[9]
German Federal Office for Information Security (BSI): Die Lage der IT-Sicherheit in Deutschland 2022. Tech. Rep. BSI-LB22/511, German Federal Office for Infor- mation Security (BSI) (2022)
2022
-
[10]
International Monetary Fund: GDP, current prices, https://www.imf.org/ external/datamapper/NGDPD@WEO
-
[11]
Internet Crime Complaint Center: Internet Crime Report 2025. Tech. rep., Fed- eral Bureau of Investigation (2025), https://www.ic3.gov/AnnualReport/Reports/ 2025_IC3Report.pdf
2025
-
[12]
Janofsky, A.: Ransomware tracker: The latest figures [June 2024] (2024), https: //therecord.media/ransomware-tracker-the-latest-figures
2024
-
[13]
Egyptian Informatics Journal30, 100665 (2025)
Kim, K., Lee, S., Ramachandran, S., Alzahrani, I.: Cryptocurrency-driven ran- somware syndicates operating on the darknet: A focused examination of the Arab world. Egyptian Informatics Journal30, 100665 (2025). https://doi.org/10.1016/ j.eij.2025.100665
-
[14]
Deviant Behavior 46(9), 1088–1103 (Sep 2025)
Martin, J., Whelan, C., Bright, D.: Ransomware HR: Human Resources Practices and Organizational Support in the Conti Ransomware Group. Deviant Behavior 46(9), 1088–1103 (Sep 2025). https://doi.org/10.1080/01639625.2024.2419905
-
[15]
Trends in Organized Crime (2023)
Matthijsse, S.R., van ‘t Hoff-de Goede, M.S., Leukfeldt, E.R.: Your files have been encrypted: a crime script analysis of ransomware attacks. Trends in Organized Crime (2023). https://doi.org/10.1007/s12117-023-09496-z
-
[16]
Computers & Security92, 101762 (2020)
Meland, P.H., Bayoumy, Y.F.F., Sindre, G.: The Ransomware-as-a-Service econ- omy within the darknet. Computers & Security92, 101762 (2020). https://doi. org/10.1016/j.cose.2020.101762
-
[17]
Microsoft Threat Intelligence: Human-operated ransomware attacks: A preventable disaster (Mar 2020), https://www.microsoft.com/en-us/security/blog/2020/03/ 05/human-operated-ransomware-attacks-a-preventable-disaster/
2020
-
[18]
com/indexes/index-resources/gics
MSCI: The Global Industry Classification Standard (GICS), https://www.msci. com/indexes/index-resources/gics
-
[19]
IET Networks7(5), 321–327 (2018)
O’Kane, P., Sezer, S., Carlin, D.: Evolution of ransomware. IET Networks7(5), 321–327 (2018). https://doi.org/10.1049/iet-net.2017.0207 Analyzing Ransomware Leak Site Data 17
-
[20]
https://doi.org/10.1145/3514229
Oz, H., Aris, A., Levi, A., Uluagac, A.S.: A Survey on Ransomware: Evolution, Taxonomy,andDefenseSolutions.ACMComputingSurveys54(11s),238:1–238:37 (2022). https://doi.org/10.1145/3514229
-
[21]
Global Crime26(2), 148–171 (2025)
Paternoster, C., Nazzari, M., Jofre, M., Uberti, T.E.: Inside the leak: Exploring the structure of the Conti ransomware group. Global Crime26(2), 148–171 (2025). https://doi.org/10.1080/17440572.2025.2473350
-
[22]
Computers & Security160, 104705 (Jan 2026)
Phipps, A., Nurse, J.R.: Inside ransomware groups: An analysis of their origins, structures, and dynamics. Computers & Security160, 104705 (Jan 2026). https: //doi.org/10.1016/j.cose.2025.104705
-
[23]
Security and Privacy7(6), e436 (2024)
Raj, A., Narayan, V., Muskan, V., Sani, A., Sharma, P., Sarma, S.S.: Mod- ern ransomware: Evolution, methodology, attack model, prevention and miti- gation using multi-tiered approach. Security and Privacy7(6), e436 (2024). https://doi.org/10.1002/spy2.436
-
[24]
RansomLook: Ransomware group monitoring data, https://www.ransomlook.io/
-
[25]
ransomware.live/
Ransomware.live: Ransomware leak site monitoring data, https://www. ransomware.live/
-
[26]
Digital Threats: Research and Practice7(1), 1–21 (Mar 2026)
Rauf Ali Khan, M., Algaolahi, A., Binbeshr, F., Imam, M.: Sequence Learning over Behavioral Attack Patterns for Early Detection of Human-Operated Ransomware. Digital Threats: Research and Practice7(1), 1–21 (Mar 2026). https://doi.org/10. 1145/3786772
2026
-
[27]
Sophos: Sophos 2024 Threat Report: Cybercrime on Main Street. Tech. rep., Sophos (2024), https://assets.sophos.com/X24WTUEQ/at/ wwf5phjtj9bjvmpqqsbfxc/sophos-2024-threat-report.pdf
2024
-
[28]
spglobal.com/spdji/en/landing/topic/gics/
S&P Global: GICS: Global Industry Classification Standard, https://www. spglobal.com/spdji/en/landing/topic/gics/
-
[29]
Bureau of Economic Analysis: Value Added by Industry (2026), https://www
U.S. Bureau of Economic Analysis: Value Added by Industry (2026), https://www. bea.gov/itable/gdp-by-industry
2026
-
[30]
Journal of Criminology57(1), 45–61 (2024)
Whelan, C., Bright, D., Martin, J.: Reconceptualising organised (cyber)crime: The case of ransomware. Journal of Criminology57(1), 45–61 (2024). https://doi.org/ 10.1177/26338076231199793
-
[31]
Whelan, C., Bright, D., Martin, J., Jones, C., Dupont, B.: Analysing the evo- lution and activities of ransomware criminal groups. Tech. Rep. 01-21-22, Aus- tralian Institute of Criminology (Sep 2025). https://doi.org/10.52922/crg77963, https://www.aic.gov.au/crg/reports/crg-02-21-22
-
[32]
Global Crime26(2), 148–171 (2025)
Whelan, C., Jones, C., Martin, J., Bright, D.A.: The internal structure of ran- somware criminal groups: an analysis of organisational units, functions, roles, and communication patterns within Conti. Global Crime0(0), 1–23 (2025). https: //doi.org/10.1080/17440572.2025.2534387
-
[33]
World Bank Group: GDP (current US$), https://data.worldbank.org/indicator/ NY.GDP.MKTP.CD
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.