Pricing
from $3.00 / 1,000 results
Ransomware & Dark Web Data Breach Monitor
Monitor ransomware attacks and data breaches from the dark web. Track ransomware groups like LockBit, BlackCat, Play, and more. Get real-time alerts on victim organizations, leaked data, and cyber threats. Essential for threat intelligence, cybersecurity research, and brand protection.
Pricing
from $3.00 / 1,000 results
Rating
5.0
(2)
Developer
Actor stats
4
Bookmarked
94
Total users
10
Monthly active users
7 months ago
Last modified
Categories
Share
Monitor ransomware attacks and data breaches from the dark web in near real time, using the public ransomware.live dataset in a safe and structured way.
Features β’ Use Cases β’ Input β’ Output β’ Dataset Views β’ Cost of Usage β’ Data Source
This actor fetches and filters data from the Dark Web, giving you a structured view of ransomware group activity, victim organizations, and leak announcements published on dark web data leak sites.
It is built for threat intelligence, cybersecurity, brand protection, and research teams that want to quickly integrate this information into dashboards, analytics pipelines, or SIEM systems.
β¨ Key Features
- π Bulk Keyword Search: search multiple terms at once (victim names, ransomware groups, descriptions) with case-insensitive matching.
- π Country Filtering: filter by country using 2-letter ISO codes (e.g.,
US,GB,DE,IT). - π Date Range Filters: limit results to attacks discovered within a specific time window.
- β‘ Fast & Lightweight: get data in the fastest way.
- π Structured Output: dataset output with a defined schema, ready for BI tools, dashboards, integrations, and automation.
- π‘οΈ Safe Dark Web Intelligence: no direct access to .onion sites; no Tor system needed.
π― Use Cases
| Use Case | Description |
|---|---|
| Daily Threat Monitoring | Run the actor on a schedule to find new attacks mentioning your organization, your domain, or your sector. |
| Brand & ThirdβParty Risk | Check whether vendors, partners, or customers have appeared in ransomware leak sites. |
| Industry / Vertical Research | Analyze ransomware trends in a given vertical (e.g., healthcare, finance, manufacturing) for reports and research. |
| Geographic Analysis | Monitor attacks targeting specific countries or regions using ISO codes. |
| Threat Actor Tracking | Track specific campaigns of groups such as LockBit, BlackCat, Play, Akira, and many more. |
| SOC / SIEM Enrichment | Enrich incidents in your SIEM with context via webhook or API. |
π₯ Input Configuration
The actor accepts a JSON input with filters for keywords, country, date range, and maximum number of results.
Example Input
Input Parameters
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
| keywords | String | β No | "" | Search terms (one per line, or separated by comma / semicolon). The search runs against victim name, group name, and description. Case-insensitive. Empty = no keyword filter. |
| country | String | β No | "" | 2-letter ISO country code (e.g., US, GB, DE, IT). Empty = all countries. |
| dateFrom | String | β No | "" | Minimum discovery date for attacks (format YYYY-MM-DD). Empty = no lower bound. |
| dateTo | String | β No | "" | Maximum discovery date for attacks (format YYYY-MM-DD). Empty = no upper bound. |
| maxResults | Integer | β No | 100 | Maximum number of records to return (min 1, max 10,000). Directly affects run time and CU usage. |
π€ Output
The actor produces:
- A dataset with one item per filtered attack/record.
- A metadata object saved in the default keyβvalue store under key
OUTPUT(total results, total in database, applied filters).
Output Fields (Dataset)
| Field | Type | Description |
|---|---|---|
| post_title | String | Name of the victim organization. |
| group_name | String | Ransomware group responsible for the attack. |
| description | String | Additional context or description of the victim/attack. |
| website | String | Victimβs website domain. |
| country | String | 2-letter ISO country code. |
| activity | String | Industry / sector of the victim. |
| discovered | String (dateβtime) | When the attack was detected in the dataset. |
| published | String (dateβtime) | When the data was published on the leak site. |
| post_url | String | Original post URL on the leak site. |
| modifications | Array<Object> | History of record updates, if available. |
Example Output Item
OUTPUT key (metadata)
In the default keyβvalue store, the OUTPUT key contains:
π Dataset Views
This actor defines preconfigured dataset views (see .actor/dataset_schema.json):
- Overview: compact view for quick analysis, with key fields:
post_title(Victim),group_name(Ransomware Group),country,activity,discovered,published,website,post_url.
- Raw Records: also shows
descriptionandmodificationsfor deeper investigation of individual cases.
You can access the dataset from the actorβs Output tab in Apify Console or via API (see the automatically generated link).
