Core concepts
Group
A ransomware group or data-extortion collective tracked by RansomLook. Groups usually operate one or more leak sites, file servers and communication channels.
Actor
A named individual or pseudonym (threat actor, developer, affiliate, broker, admin, etc.) related to ransomware or data-extortion activity.
Victim / Post
A single entry published by a group about a targeted organisation. In RansomLook this is usually stored as a "post" and is associated with one group and one discovery timestamp.
RaaS
Ransomware-as-a-Service. Operating model where a core team develops the ransomware and infrastructure, while affiliates perform intrusions and share the profits.
Infrastructure types
DLS
Dedicated Leak Site / Darknet Leak Site. Tor-based website operated by a group to list victims and publish stolen data when ransoms are not paid.
FS
File Server / File Storage. Infrastructure used to host or distribute stolen data (archives, samples, full dumps).
Chat
Communication endpoints used for negotiation or contact with victims and affiliates. Includes web-based chat, Telegram, X/Twitter, email and other messaging.
Admin / Affiliates panel
Administrative or affiliate-focused infrastructure not intended for public victim browsing. Recruitment panels, campaign portals, status pages.
Relay / Mirror
A technical copy of a group's site accessible at a different domain or onion address. RansomLook tracks each relay as a separate location with its own status.
Slug
Normalised name used internally to build URLs for a specific location of a group. Used to create deterministic filenames and links.
Private location
A location stored in the database but not displayed to unauthenticated visitors. Still used for scraping, monitoring and metrics.
Data and metrics
Parser
Piece of code dedicated to a specific group or site. Extracts structured data from HTML pages (victim name, sector, country, dates, etc.).
Discovery date
Timestamp at which RansomLook first observed a victim post. May differ from the original intrusion or encryption date.
Leak / Dataleak
Public dataset containing credentials or other information exposed in previous breaches. RansomLook integrates external leak databases for enrichment.
Ransom notes
Text files or HTML pages left on compromised systems by ransomware operators. RansomLook indexes ransom notes to help identify families and operations.
Crypto address / Wallet
Cryptocurrency address controlled or used by a group or affiliate to receive ransom payments. Monitored and correlated with known activity.
Ecosystem and sources
Markets / Forums
Darknet or clearnet platforms where actors trade access, data, tools or services. Tracked as separate entities from ransomware groups.
RF Dumps
Optional Recorded Future integration providing additional leak information and dumps. Requires a private API key.
Onion service (Tor)
Hidden service accessible through the Tor network. Most DLS, FS and negotiation panels are onion services, sometimes with multiple relays.
v3 onion
Current version of Tor hidden service addresses (56-character .onion domains). RansomLook tracks versions to classify infrastructure changes.
Relationships
Affiliates
External operators who work with a core ransomware group. Perform intrusions, deploy ransomware and share a percentage of the ransom.
Peers
Other actors linked to a given individual. Can represent collaboration, shared infrastructure or repeated co-appearance in operations.
Groups / Forums relations
Links between one actor and multiple groups or markets. RansomLook stores these so users can explore which actors operate across which ecosystems.