TI News Feed · Threat Intelligence Guides
View live threat intel feed →
TI News FeedThreat Intelligence Guides & ResourcesView Live Feed →
Topic · Threat Intelligence

Ransomware: Live Threat Intelligence & Analysis

Track the latest ransomware attacks, groups and campaigns in real time, with analysis of where the threat is heading and how to defend.

Ransomware remains the most disruptive and financially damaging cyber threat facing organizations, and it is also one of the fastest-moving. Groups rebrand, splinter and get disrupted by law enforcement constantly, while affiliates migrate between operations — which is exactly why real-time tracking matters. This page surfaces the latest ransomware reporting aggregated from dozens of authoritative sources, and the analysis below explains the trends shaping the threat.

The current ransomware landscape

Modern ransomware is a professionalized criminal industry built on the Ransomware-as-a-Service (RaaS) model, where developers rent their malware and infrastructure to affiliates who carry out intrusions. This division of labor has dramatically lowered the barrier to entry and made the ecosystem highly resilient: when one brand is taken down, its affiliates simply move to another.

The dominant tactical shift has been toward double and triple extortion. Rather than only encrypting data, groups now steal it first and threaten to publish it on leak sites — meaning even organizations with flawless backups face a data-breach crisis. Some operations have moved to pure data extortion, skipping encryption entirely.

Why it matters

A serious ransomware incident is not just an IT problem; it is a business crisis that can halt operations, trigger regulatory obligations, and inflict lasting reputational damage. Critical-infrastructure operators, healthcare providers and managed-service providers are especially targeted — the latter because compromising one MSP can yield access to many downstream victims at once.

What to watch

  • Initial access trends — most ransomware begins with phishing, stolen credentials on exposed remote-access services, or exploitation of unpatched internet-facing vulnerabilities.
  • New and rebranded groups — tracking which operations are active, and the affiliates moving between them.
  • Mass-exploitation events — groups increasingly weaponize a single widely used vulnerability to hit thousands of organizations simultaneously.
  • Leak-site activity — new victim listings are an early signal of active campaigns.

Defensive priorities

No single control stops ransomware, but a layered approach dramatically reduces risk: patch internet-facing systems fast (prioritizing actively exploited flaws), enforce phishing-resistant multi-factor authentication, maintain offline and immutable backups, segment networks to limit lateral movement, and deploy behavior-based endpoint detection to catch the pre-encryption stages. For the full picture, read our guide to how ransomware works and how to stop it.

Because the landscape shifts weekly, staying informed is itself part of the defense. The live feed below tracks ransomware reporting as it breaks.

In-depth guides on ransomware

AttacksWhat Is Ransomware? How It Works and How to Stop ItAttacksWhat Is Phishing? Types, Examples and PreventionThreat ActorsWhat Is an Advanced Persistent Threat (APT)?

Related topics

TopicData Breaches: Live Threat IntelligenceTopicMalware: Live Threat IntelligenceTopicAPT & Nation-State Threats: Live Intelligence