Skip to main content
The ransomleak (or document subtype) represents a public leak post made by a ransomware group on a dark web site or leak portal. Each record corresponds to a specific victim organization whose exfiltrated data is published as part of extortion attempts. These entries typically include:
  • Victim details (company name, country, industry).
  • Threat statements or ransom instructions.
Ransom Leak
{
    "event_type": "ransomleak",
    "data": {
        "url": "http://payupnow.onion/leaks.php",
        "response_url": "http://payupnow.onion/leaks.php",
        "title": "Leak Name - Victim Name",
        "content": "Ransom Leak Listing Content",
        "body": "Ransom Leak Listing Body",
        "victim_information": {
            "name": "Victim Name",
            "display_name": "Victim Name",
            "domain": "victim-domain.com",
            "alternative_domains": [
                "victim.co"
            ],
            "industry": "Non-Profit",
            "employee_count": 1,
            "city": "New York",
            "state": "New York",
            "country": "USA",
            "latitude": 123.456,
            "longitude": 123.456
        }
    },
    "metadata": {
        "estimated_created_at": "2025-01-01T00:00:00",
        "flare_url": "https://app.flare.io/#/uid",
        "matched_at": null,
        "severity": "info",
        "uid": "index/source/id"
    }
}