Ransomware & Dark Web Data Breach Monitor

Monitor ransomware attacks and data breaches from the dark web in near real time, using the public ransomware.live dataset in a safe and structured way.

Features • Use Cases • Input • Output • Dataset Views • Cost of Usage • Data Source

This actor fetches and filters data from the Dark Web, giving you a structured view of ransomware group activity, victim organizations, and leak announcements published on dark web data leak sites.

It is built for threat intelligence, cybersecurity, brand protection, and research teams that want to quickly integrate this information into dashboards, analytics pipelines, or SIEM systems.

✨ Key Features

• 🔍 Bulk Keyword Search: search multiple terms at once (victim names, ransomware groups, descriptions) with case-insensitive matching. * 🌍 Country Filtering: filter by country using 2-letter ISO codes (e.g., US, GB, DE, IT). * 📅 Date Range Filters: limit results to attacks discovered within a specific time window. * ⚡ Fast & Lightweight: get data in the fastest way. * 📊 Structured Output: dataset output with a defined schema, ready for BI tools, dashboards, integrations, and automation. * 🛡️ Safe Dark Web Intelligence: no direct access to .onion sites; no Tor system needed. ---
  

  🎯 Use Cases

| Use Case | Description | | :--- | :--- | | Daily Threat Monitoring | Run the actor on a schedule to find new attacks mentioning your organization, your domain, or your sector. | | Brand & Third‑Party Risk | Check whether vendors, partners, or customers have appeared in ransomware leak sites. | | Industry / Vertical Research | Analyze ransomware trends in a given vertical (e.g., healthcare, finance, manufacturing) for reports and research. | | Geographic Analysis | Monitor attacks targeting specific countries or regions using ISO codes. | | Threat Actor Tracking | Track specific campaigns of groups such as LockBit, BlackCat, Play, Akira, and many more. | | SOC / SIEM Enrichment | Enrich incidents in your SIEM with context via webhook or API. | ---

📥 Input Configuration

The actor accepts a JSON input with filters for keywords, country, date range, and maximum number of results. ### Example Input json { "keywords": "healthcare\nhospital\nmedical", "country": "US", "dateFrom": "2024-01-01", "maxResults": 500 } ### Input Parameters | Parameter | Type | Required | Default | Description | | :--- | :--- | :--- | :--- | :--- | | keywords | String | ❌ No | "" | Search terms (one per line, or separated by comma / semicolon). The search runs against victim name, group name, and description. Case-insensitive. Empty = no keyword filter. | | country | String | ❌ No | "" | 2-letter ISO country code (e.g., US, GB, DE, IT). Empty = all countries. | | dateFrom | String | ❌ No | "" | Minimum discovery date for attacks (format YYYY-MM-DD). Empty = no lower bound. | | dateTo | String | ❌ No | "" | Maximum discovery date for attacks (format YYYY-MM-DD). Empty = no upper bound. | | maxResults | Integer | ❌ No | 100 | Maximum number of records to return (min 1, max 10,000). Directly affects run time and CU usage. | ---

📤 Output

The actor produces: * A dataset with one item per filtered attack/record. * A metadata object saved in the default key‑value store under key OUTPUT (total results, total in database, applied filters). ### Output Fields (Dataset) | Field | Type | Description | | :--- | :--- | :--- | | post_title | String | Name of the victim organization. | | group_name | String | Ransomware group responsible for the attack. | | description | String | Additional context or description of the victim/attack. | | website | String | Victim’s website domain. | | country | String | 2-letter ISO country code. | | activity | String | Industry / sector of the victim. | | discovered | String (date‑time) | When the attack was detected in the dataset. | | published | String (date‑time) | When the data was published on the leak site. | | post_url | String | Original post URL on the leak site. | | modifications | Array\<Object> | History of record updates, if available. | ### Example Output Item json { "post_title": "Example Healthcare Inc", "group_name": "lockbit3", "description": "Healthcare provider with 500+ employees", "website": "https://examplehealthcare.com", "country": "US", "activity": "Healthcare", "discovered": "2024-06-15T14:32:10.123456", "published": "2024-06-14T00:00:00.000000", "post_url": "http://lockbit...onion/post/...", "modifications": [] } ### OUTPUT key (metadata) In the default key‑value store, the OUTPUT key contains: json { "totalResults": 123, "totalInDatabase": 45678, "filters": { "keywords": ["healthcare", "hospital", "medical"], "country": "US", "dateFrom": "2024-01-01", "dateTo": null, "maxResults": 500 } } ---

📊 Dataset Views

This actor defines preconfigured dataset views (see .actor/dataset_schema.json): * Overview: compact view for quick analysis, with key fields: * post_title (Victim), group_name (Ransomware Group), country, activity, discovered, published, website, post_url. * Raw Records: also shows description and modifications for deeper investigation of individual cases. You can access the dataset from the actor’s Output tab in Apify Console or via API (see the automatically generated link).