// About_&_Methodology

Ransom Scope is a free, open ransomware threat intelligence platform. We aggregate publicly disclosed victim listings, indicators of compromise, exploited vulnerabilities, and adversary tradecraft from authoritative open sources, normalize them into STIX 2.1, and republish them as a TAXII 2.1 feed for analysts, SOC teams, and TIP operators.

Every record carries a source attribution and a first_seen timestamp. We do not enrich with private feeds, paid datasets, or undisclosed contributors.

1. Ingest. Scheduled workers pull from each upstream on the cadence above. Every run is logged to ingestion_runs(publicly visible on /status).
2. Normalize. Records are mapped to a shared schema: groups, victims, IOCs, CVEs, detections, techniques. Slugs and identifiers are canonicalized so the same actor under different aliases collapses to one record.
3. Deduplicate. IOCs are keyed by (type, value); victims by (group, name, disclosed_at); CVEs by NVD ID. Duplicates upsert rather than insert.
4. Publish. New and changed records are appended to the changelog, exposed via the TAXII 2.1 feed, and broadcast on the RSS feed.
5. Correct. Mistakes happen. Submit corrections via the contact form below; they are processed within 48 hours and noted in the changelog.

All published data is TLP:CLEAR. Every source we ingest publishes under TLP:CLEAR or an equivalent open license. We do not accept, store, or republish TLP:AMBER, TLP:RED, or TLP:GREEN material. If you believe a record we publish contains restricted content, file a takedown via the contact form and we will review within 24 hours.

• Victim disclosures: every 15 minutes.
• IOCs: hourly.
• CVEs (KEV + NVD): every 6 hours.
• MITRE ATT&CK technique mappings: weekly, after manual review.
• Group profiles: continuously, as new victims or TTPs are observed.

Live ingester health is on /status. Every successful run timestamp and the most recent error per source is shown publicly.

• We are not a victim notification service. We mirror public leak-site postings; we do not contact victims.
• We do not host stolen data, leak samples, ransom notes, or any material exfiltrated by ransomware operators.
• We do not provide attribution beyond what upstream sources publish.
• We are not affiliated with any government agency, vendor, or commercial threat-intel provider.

Ransom Scope is provided as a free research resource. By using this site or any of its data feeds, you agree to the following:

• Informational purpose only. The feed is meant for threat awareness and research. It is not a definitive statement of fact about any organization, actor, or incident.
• Provided as-is. We make no warranty about completeness, accuracy, timeliness, or uninterrupted availability. Sources change format, APIs go down, and duplicates can slip through.
• Verify before acting. Always confirm IOCs, CVEs, and victim details against your own telemetry, vendor tools, or authoritative incident reports before blocking, quarantining, or escalating.
• Not professional advice. Nothing on this site is legal, incident-response, forensic, cyber-insurance, or compliance advice.
• Not a victim notification service. We mirror public leak-site postings. We do not contact victims, negotiate with actors, or assist in remediation.
• No affiliation. Ransom Scope is an independent side project. It is not affiliated with any government, law enforcement agency, vendor, or commercial threat-intelligence provider.
• Use at your own risk. You are responsible for how you use this data, including any automated blocks, alerts, or reports you generate from it.
• No liability. Ransom Scope and its operators are not liable for any damage, loss, or decision made based on the information published here.
• Attribution to upstream sources. All intelligence originates from the public sources listed above. Ransom Scope does not claim ownership of third-party data and may remove or correct records at any time.
• No offensive use. Data from this site must not be used to attack, harass, defame, or harm any person or organization.

If you need legally reliable or operationally critical intelligence, consult a licensed professional or commercial threat-intelligence provider.

Use the form below to reach the Ransom Scope team. Choose a category so your message is routed correctly. Submissions are stored securely and reviewed by maintainers — typical response time is under 48 hours.

For coordinated security disclosures, see /.well-known/security.txt.