Profiling the most active Ransomware Gangs: DarkWeb Dynamics

A cybersecurity research project on ransomware gangs analysing data extracted from the dark web.

Introduction

The rise of cybercrime poses a significant threat to individuals, organisations, and nations, with increasingly sophisticated groups carrying out highly targeted and organised operations.

Cybersecurity gangs collaborate, organise, and are highly elusive entities that stand out as one of the most formidable challenges to cyber security. Understanding their behavior, tactics, and operational patterns is essential for devising effective countermeasures.

This research centres on analysing data collected from Project Napweed, a UK-based dark web research initiative specialising in the analysis and tracking of cyber gangs. All referenced sources will be detailed in this article. I leveraged Python and Cursor IDE to process and analyse this data which is extracted from the dark web by Project Knapweed. This study aims to identify the most active cyber gangs and uncover patterns in their operations, particularly focusing on their activity and when they decide to make announcements.

The key objectives of this study are to answer the following pivotal questions:

• Who are the most active gangs in the dark web's ecosystem of cybercrime?

• Are there discernible patterns in their activity and timing?

Through data analysis techniques, this investigation seeks to illuminate the hidden and often concealed operations of cybercriminal networks. By combining data-driven insights with cybersecurity research, this work not only enhances our understanding of cybercrime dynamics but also provides actionable intelligence for practitioners tasked with safeguarding digital infrastructures from persistent attacks.

This study aspires to contribute to the growing field of cyber threat intelligence - enabling a deeper understanding of the ecosystems driving cybercrime.

Executive Summary

This report provides a detailed analysis of ransomware group activity over five yearss, focusing on key actors, emerging trends, and temporal attack patterns. With data spanning over 150 unique ransomware groups, it offers insights into the evolving cybercrime landscape.

Key Findings

Dominance of Major Groups

• LockBit3 emerges as the most active group, responsible for nearly 14% of recorded attacks, with the broader LockBit family dominating the ecosystem.

• Other top actors include RansomHub, ALPHV, and Play, which employ advanced techniques like double extortion to maximise impact.

Diverse Threat Landscape

• While major groups drive much of the activity, approximately half of the groups have fewer than 50 recorded attacks, reflecting the presence of smaller or transient actors.

• Emerging groups such as BianLian and BlackBasta highlight the dynamic nature of the ransomware ecosystem.

Temporal Patterns in Announcement Activity

• Hourly: Peak activity occurs at 16:00, with a steady concentration of postings from midday to evening.

• Daily: Thursdays see the highest volume of postings, with reduced activity on Sundays.

• Seasonal: September is the most active month, followed by November and October, indicating a potential alignment with business cycles and operational vulnerabilities.

Trends Over Time

• The analysis shows a marked increase in ransomware activity from 2020 to 2024, driven by the adoption of sophisticated tactics and the targeting of critical infrastructure.

Strategic Implications

Organisations must prioritise defenses against dominant actors like LockBit while tracking emerging groups and adapting to shifting attack patterns. Heightened monitoring during identified peak hours, days, and months will be critical in countering the persistent and evolving ransomware threat.

Project Scope & Data Limitations

The dataset encompasses approximately five years of data, spanning from January 12, 2020, to January 9, 2025. It's crucial to note that Project Knapweed was established in the summer of 2022, meaning the earlier data was collected retrospectively. Since its inception, Project Knapweed has undergone significant development and refinement. The team's growing expertise and evolving capabilities have led to more comprehensive and sophisticated data collection methods over time. However, readers should be aware that data from the project's early stages may be less complete due to initial limitations in collection capabilities.

The raw data is extracted into a CSV file containing three columns:

Link to raw data - https://api-v2.red-team.cloud/v1/Complete-List.csv - likely to be updated as Project Knapweed discovers more breaches.

1st Column - "Discovery Date" - this column records the date and time in the following format:

Year-Month-Day Hour:Minute:Second e.g. 2025-01-09 06:39:02

2nd Column - "RW-Group Name" - A text field containing the name of the ransomware group.

e.g. lockbit3

Note: The tactics employed by ransomware groups have evolved. While ransomware traditionally involved encrypting data and rendering systems or files inaccessible, more recent trends show a shift towards alternative methods. These include data exfiltration followed by extortion, blackmail, and harassment of data owners, often bypassing the need to deploy ransomware entirely.

3rd Column "Post Title" This column captures the title of the dark web post published by the ransomware group.

Note: The Ransomware Groups tend to post the name or website of the breached organisation as the title of the post.

e.g. Premier Tax Service or thebike.com

Data Cleansing

The CSV contains over 14,000 rows! Luckily, because of the great peeps at Project Knapweed - the data is consistent, clean and organised. Therefore, I didn't have to do much preparation on cleaning the data other than some simple python code to ignore malformed rows.

Tools

For this research, I chose Cursor IDE as my primary tool. I was particularly eager to explore its AI-powered coding support features to enhance efficiency and save time throughout the project.

In addition to Cursor IDE, I utilised several Python libraries, including Matplotlib, Pandas, and datetime. These tools were selected for their efficiency, reliability, and ability to streamline data analysis and visualisation tasks, making them invaluable to the research process.

Phase 1 - Counting and Summarising

The following Python script performs our initial data analysis. Each section is thoroughly documented with comments explaining the key operations and data transformations being performed.

import pandas as pd

# Read the CSV file with error handling
# encoding='latin-1' handles special characters, on_bad_lines='skip' ignores malformed rows
df = pd.read_csv("Complete-List.csv", encoding='latin-1', on_bad_lines='skip')

# Count and sort ransomware groups by frequency
# value_counts() returns a Series with groups as index and attack counts as values
group_counts = df["RW-Group Name"].value_counts()

# Print header for analysis results
print("\nRansomware Group Analysis:")
print("=" * 30)
print(f"\nTotal unique ransomware groups: {len(group_counts)}")
print("\nGroups by frequency (most active to least active):")
print("-" * 50)

# Create a formatted output with padding for better readability
# Iterate through each ransomware group and its attack count
# Calculate and display percentage of total attacks for each group
# Format: GroupName    Count (Percentage%)
for group, count in group_counts.items():
    percentage = (count / len(df)) * 100
    print(f"{group:<30} {count:>5} attacks ({percentage:>6.2f}%)")

# Basic statistics
# Display summary statistics section
print("\nSummary Statistics:")
print("-" * 20)
# index[0] gets the name of the most active group, iloc[0] gets their attack count
print(f"Most active group: {group_counts.index[0]} ({group_counts.iloc[0]} attacks)")
# index[-1] gets the name of the least active group, iloc[-1] gets their attack count
print(f"Least active group: {group_counts.index[-1]} ({group_counts.iloc[-1]} attacks)")
# mean() calculates the average number of attacks per group
print(f"Average attacks per group: {group_counts.mean():.2f}")

Python Code Output/Results

Ransomware Group Analysis:

==============================

Total unique ransomware groups: 155

Groups by frequency (most active to least active):

--------------------------------------------------

• lockbit3 1976 attacks ( 13.76%)

• lockbit2 1001 attacks ( 6.97%)

• ransomhub 711 attacks ( 4.95%)

• alphv 685 attacks ( 4.77%)

• play 676 attacks ( 4.71%)

• bianlian 559 attacks ( 3.89%)

• clop 476 attacks ( 3.31%)

• blackbasta 435 attacks ( 3.03%)

• 8base 402 attacks ( 2.80%)

• akira 347 attacks ( 2.42%)

• conti 330 attacks ( 2.30%)

• pysa 305 attacks ( 2.12%)

• cactus 267 attacks ( 1.86%)

• hunters 259 attacks ( 1.80%)

• qilin 221 attacks ( 1.54%)

• hiveleak 204 attacks ( 1.42%)

• everest 201 attacks ( 1.40%)

• medusa 197 attacks ( 1.37%)

• royal 187 attacks ( 1.30%)

• vicesociety 172 attacks ( 1.20%)

• blacksuit 165 attacks ( 1.15%)

• rhysida 163 attacks ( 1.14%)

• snatch 144 attacks ( 1.00%)

• ragroup 143 attacks ( 1.00%)

• avaddon 142 attacks ( 0.99%)

• blackbyte 138 attacks ( 0.96%)

• incransom 133 attacks ( 0.93%)

• ransomhouse 126 attacks ( 0.88%)

• noescape 122 attacks ( 0.85%)

• ragnarlocker 113 attacks ( 0.79%)

• killsecurity 112 attacks ( 0.78%)

• lockbit3_fs 112 attacks ( 0.78%)

• bashe 99 attacks ( 0.69%)

• cuba 98 attacks ( 0.68%)

• lynx 92 attacks ( 0.64%)

• stormous 91 attacks ( 0.63%)

• monti 90 attacks ( 0.63%)

• FOG 80 attacks ( 0.56%)

• lorenz 75 attacks ( 0.52%)

• dragonforce 74 attacks ( 0.52%)

• ransomedvc 73 attacks ( 0.51%)

• karakurt 71 attacks ( 0.49%)

• abyss 71 attacks ( 0.49%)

• eldorado 70 attacks ( 0.49%)

• handala 68 attacks ( 0.47%)

• quantum 66 attacks ( 0.46%)

• arcusmedia 59 attacks ( 0.41%)

• ransomexx 56 attacks ( 0.39%)

• darkvault 54 attacks ( 0.38%)

• losttrust 53 attacks ( 0.37%)

• mallox 53 attacks ( 0.37%)

• trigona 50 attacks ( 0.35%)

• threeam 48 attacks ( 0.33%)

• meow 48 attacks ( 0.33%)

• spacebears 46 attacks ( 0.32%)

• lv 46 attacks ( 0.32%)

• midas 44 attacks ( 0.31%)

• cicada3301 44 attacks ( 0.31%)

• ransomblog_noname 42 attacks ( 0.29%)

• donutleaks 40 attacks ( 0.28%)

• revil 39 attacks ( 0.27%)

• darkleakmarket 39 attacks ( 0.27%)

• arvinclub 39 attacks ( 0.27%)

• cloak 37 attacks ( 0.26%)

• nokoyawa 36 attacks ( 0.25%)

• spook 35 attacks ( 0.24%)

• knight 34 attacks ( 0.24%)

• helldown 33 attacks ( 0.23%)

• dAn0n 32 attacks ( 0.22%)

• marketo 32 attacks ( 0.22%)

• blackmatter 30 attacks ( 0.21%)

• suncrypt 30 attacks ( 0.21%)

• payloadbin 29 attacks ( 0.20%)

• onyx 28 attacks ( 0.19%)

• dispossessor 28 attacks ( 0.19%)

• kelvinsecurity 26 attacks ( 0.18%)

• sarcoma 25 attacks ( 0.17%)

• ciphbit 25 attacks ( 0.17%)

• lockbit3_cronos 23 attacks ( 0.16%)

• trinity 22 attacks ( 0.15%)

• xinglocker 21 attacks ( 0.15%)

• leaktheanalyst 20 attacks ( 0.14%)

• werewolves 20 attacks ( 0.14%)

• braincipher 20 attacks ( 0.14%)

• moneymessage 20 attacks ( 0.14%)

• metaencryptor 20 attacks ( 0.14%)

• flocker 20 attacks ( 0.14%)

• avoslocker 20 attacks ( 0.14%)

• underground 20 attacks ( 0.14%)

• nitrogen 19 attacks ( 0.13%)

• siegedsec 19 attacks ( 0.13%)

• daixin 18 attacks ( 0.13%)

• mountlocker 18 attacks ( 0.13%)

• embargo 16 attacks ( 0.11%)

• redransomware 16 attacks ( 0.11%)

• sabbath 16 attacks ( 0.11%)

• mosesstaff 16 attacks ( 0.11%)

• sparta 16 attacks ( 0.11%)

• cheers 15 attacks ( 0.10%)

• apt73 15 attacks ( 0.10%)

• dunghill_leak 15 attacks ( 0.10%)

• freecivilian 14 attacks ( 0.10%)

• kairos 14 attacks ( 0.10%)

• azroteam 13 attacks ( 0.09%)

• mindware 13 attacks ( 0.09%)

• groove 13 attacks ( 0.09%)

• cryp70n1c0d3 11 attacks ( 0.08%)

• icefire 11 attacks ( 0.08%)

• unsafeleak 10 attacks ( 0.07%)

• termite 10 attacks ( 0.07%)

• blackout 9 attacks ( 0.06%)

• rook 9 attacks ( 0.06%)

• alphalocker 9 attacks ( 0.06%)

• darkrace 9 attacks ( 0.06%)

• qiulong 8 attacks ( 0.06%)

• madliberator 8 attacks ( 0.06%)

• nullbulge 8 attacks ( 0.06%)

• cryptbb 8 attacks ( 0.06%)

• mogilevich 8 attacks ( 0.06%)

• nefilim 8 attacks ( 0.06%)

• malekteam 8 attacks ( 0.06%)

• 0mega 7 attacks ( 0.05%)

• hellcat 7 attacks ( 0.05%)

• yanluowang 6 attacks ( 0.04%)

• rancoz 6 attacks ( 0.04%)

• redalert 6 attacks ( 0.04%)

• dataleak 6 attacks ( 0.04%)

• pandora 5 attacks ( 0.03%)

• karma 5 attacks ( 0.03%)

• projectrelic 5 attacks ( 0.03%)

• babuk 5 attacks ( 0.03%)

• pay2key 5 attacks ( 0.03%)

• donex 5 attacks ( 0.03%)

• malas 4 attacks ( 0.03%)

• atomsilo 4 attacks ( 0.03%)

• blacktor 4 attacks ( 0.03%)

• interlock 4 attacks ( 0.03%)

• ransomblog_noname2 4 attacks ( 0.03%)

• lockdata 4 attacks ( 0.03%)

• ransomcortex 4 attacks ( 0.03%)

• blackshadow 3 attacks ( 0.02%)

• orca 3 attacks ( 0.02%)

• vendetta 3 attacks ( 0.02%)

• hellogookie 3 attacks ( 0.02%)

• vanirgroup 3 attacks ( 0.02%)

• bonacigroup 3 attacks ( 0.02%)

• cryptnet 2 attacks ( 0.01%)

• ragnarok 2 attacks ( 0.01%)

• pryx 2 attacks ( 0.01%)

• shaoleaks 2 attacks ( 0.01%)

• sensayq 2 attacks ( 0.01%)

• robinhood 1 attacks ( 0.01%)

• slug 1 attacks ( 0.01%)

• insane 1 attacks ( 0.01%)

• crosslock 1 attacks ( 0.01%)

Summary Statistics:

--------------------

Most active group: lockbit3 (1976 attacks)

Least active group: crosslock (1 attacks)

Average attacks per group: 92.62

Commentary on the Ransomware Group Analysis - Phase 1:

The analysis provides a detailed breakdown of ransomware group activity over a five-year period, showcasing the dominance of specific groups and the distribution of attacks across a diverse range of actors. With a total of 155 unique ransomware groups, the dataset offers a comprehensive view of the cybercrime landscape.

Key Observations - Dominance of LockBit

The LockBit3 group stands out as the most active, responsible for 13.76% of all recorded attacks (1,976 incidents). When combined with LockBit2 (1,001 attacks), the LockBit umbrella represents a significant portion of the ransomware ecosystem.

This suggests that LockBit is highly organised, with a consistent operational strategy enabling its sustained dominance.

The top 10 ransomware groups collectively account for a substantial proportion of the total attacks, with RansomHub (711), ALPHV (685), and Play (676) following LockBit in activity.

These groups are likely leveraging advanced techniques such as double extortion, which combines data encryption with data exfiltration to maximise pressure on victims.

Diverse Ecosystem

- While the top groups dominate, there is a long tail of less active groups. Approximately half the groups have fewer than 50 recorded attacks, indicating the presence of smaller, perhaps less-organised or short-lived entities.

Emerging Trends

- The presence of groups like **BianLian**, **BlackBasta**, and **8Base**, which have gained traction in recent years, points to the dynamic nature of the ransomware ecosystem, with new players frequently entering the scene.

Shift in Ransomware Tactics

The rise of newer groups suggests a potential shift in attack techniques, such as a focus on data exfiltration and extortion rather than traditional encryption.

Most Active Group

LockBit3 is the most active, with nearly 14% of all attacks. This highlights its dominance and possible efficiency in attack execution.

Least Active Groups

Groups like CrossLock, with only a single recorded attack, may represent smaller, experimental groups or defunct entities.

Average Activity

The average number of attacks per group (92.62) reflects significant variability, with a few highly active groups driving much of the activity while many smaller groups have limited impact.

Implications

Prioritisation of Defenses

Given the dominance of a few key groups, cybersecurity efforts should focus on understanding and mitigating the tactics, techniques, and procedures (TTPs) of actors like LockBit and its variants.

Monitoring Emerging Threats

The data highlights the importance of tracking new or resurging groups, such as BianLian and ALPHV, to anticipate shifts in the threat landscape.

Diverse Strategies

The variety of activity levels underscores the need for adaptive defense strategies that address both persistent, high-profile threats and smaller, emerging actors.

Additional Thoughts

This analysis illustrates the complexity and dynamism of ransomware operations, emphasising the importance of continuous monitoring and intelligence-sharing to stay ahead of both well-established and nascent threats. The dominance of LockBit groups reaffirms their status as critical adversaries in the ransomware landscape, while the rise of newer players signals an evolving threat ecosystem.

Phase 2 - Announcement Time Analysis

import pandas as pd
from datetime import datetime

# Read the CSV file with error handling
df = pd.read_csv("Complete-List.csv", encoding='latin-1', on_bad_lines='skip')

# Remove rows where 'Discovery Date' doesn't match the expected date format
df = df[df['Discovery Date'].str.match(r'\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}')]

# Convert the timestamp string to datetime
df['DateTime'] = pd.to_datetime(df['Discovery Date'], format='%Y-%m-%d %H:%M:%S')

# Extract various time components
df['Hour'] = df['DateTime'].dt.hour
df['Day'] = df['DateTime'].dt.day_name()
df['Month'] = df['DateTime'].dt.month_name()
df['Year'] = df['DateTime'].dt.year

# Count announcements by hour
hourly_counts = df['Hour'].value_counts().sort_index()

print("\nRANSOMWARE Announcements TIME ANALYSIS")
print("=" * 50)

# ASCII Histogram for hourly distribution
print("\n1. HOURLY PATTERNS")
print("-" * 20)
max_count = hourly_counts.max()
scale_factor = 50 / max_count  # Scale to max width of 50 characters

print("\nHourly Distribution (each █ represents approximately", round(max_count/50), "announcements)")
for hour, count in hourly_counts.items():
    bar_length = int(count * scale_factor)
    print(f"{hour:02d}:00 | {'█' * bar_length} {count}")

print(f"\nMost active hour: {hourly_counts.index[0]:02d}:00 ({hourly_counts.iloc[0]} announcements)")
print(f"Least active hour: {hourly_counts.index[-1]:02d}:00 ({hourly_counts.iloc[-1]} announcements)")
print(f"Average announcements per hour: {hourly_counts.mean():.2f}")
print("\nTop 5 Most Active Hours:")
for hour, count in hourly_counts.nlargest(5).items():
    print(f"  {hour:02d}:00 - {count} announcements")

# Daily Statistics
print("\n2. DAILY PATTERNS")
print("-" * 20)
daily_counts = df['Day'].value_counts()
print("\nAnnouncements by Day of Week:")
for day, count in daily_counts.items():
    bar_length = int(count * scale_factor)
    print(f"{day:<9} | {'█' * bar_length} {count} ({count/len(df)*100:.1f}%)")

# Monthly Statistics
print("\n3. MONTHLY PATTERNS")
print("-" * 20)
monthly_counts = df['Month'].value_counts()
print("\nTop 3 Most Active Months:")
for month, count in monthly_counts.nlargest(3).items():
    print(f"  {month}: {count} announcements ({count/len(df)*100:.1f}%)")

# Yearly Statistics
print("\n4. YEARLY TRENDS")
print("-" * 20)
yearly_counts = df['Year'].value_counts().sort_index()
print("\nAnnouncements by Year:")
for year, count in yearly_counts.items():
    bar_length = int(count * scale_factor)
    print(f"{year} | {'█' * bar_length} {count} ({count/len(df)*100:.1f}%)")

# Time Period Summary
print("\n5. OVERALL SUMMARY")
print("-" * 20)
print(f"Total number of Announcements: {len(df)}")
print(f"Date range: {df['DateTime'].min().date()} to {df['DateTime'].max().date()}")
print(f"Average announcements per day: {len(df)/df['DateTime'].dt.date.nunique():.1f}") 

Python Code Output/Results - RANSOMWARE ATTACK TIME ANALYSIS

==================================================

1. HOURLY PATTERNS

--------------------

Hourly Distribution (each █ represents approximately 22 announcements)

00:00 | ████████████████████████████████ 720

01:00 | ███████████████████ 438

02:00 | ████████████ 278

03:00 | ████████████ 278

04:00 | ███████████ 259

05:00 | ██████ 149

06:00 | ████████████████ 366

07:00 | ████████████ 276

08:00 | ████████████████████████████ 629

09:00 | ██████████████████ 420

10:00 | ████████████████████████████████████████ 898

11:00 | █████████████████ 397

12:00 | ████████████████████████████████████████████ 999

13:00 | ████████████████████ 464

14:00 | ███████████████████████████████████████████ 963

15:00 | ███████████████████████████ 619

16:00 | ██████████████████████████████████████████████████ 1117

17:00 | ██████████████████████ 502

18:00 | ██████████████████████████████████████████ 952

19:00 | ████████████████████ 459

20:00 | ████████████████████████████████████████ 910

21:00 | █████████████████ 385

22:00 | █████████████████████████████████████████ 937

23:00 | ██████████████████████████████████████████ 941

Most active hour: 00:00 (720 announcements)

Least active hour: 23:00 (941 announcements)

Average attacks per hour: 598.17

Top 5 Most Active Hours:

16:00 - 1117 announcements

12:00 - 999 announcements

14:00 - 963 announcements

18:00 - 952 announcements

23:00 - 941 announcements

2. DAILY PATTERNS

--------------------

Attacks by Day of Week:

Thursday | ████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████ 2872 (20.0%)

Tuesday | █████████████████████████████████████████████████████████████████████████████████████████████████████████████████ 2529 (17.6%)

Monday | ██████████████████████████████████████████████████████████████████████████████████████████████████████████████ 2460 (17.1%)

Friday | █████████████████████████████████████████████████████████████████████████████████████████████ 2079 (14.5%)

Wednesday | ███████████████████████████████████████████████████████████████████████████████████████ 1963 (13.7%)

Saturday | ███████████████████████████████████████████████████████████ 1330 (9.3%)

Sunday | ██████████████████████████████████████████████████ 1123 (7.8%)

3. MONTHLY PATTERNS

--------------------

Top 3 Most Active Months:

September: 1866 announcements (13.0%)

November: 1551 announcements (10.8%)

October: 1394 announcements (9.7%)

4. YEARLY TRENDS

--------------------

Attacks by Year:

2020 | █ 33 (0.2%)

2021 | ██████████████████████████████████████████████████████████████████████████████ 1755 (12.2%)

2022 | █████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████ 2803 (19.5%)

2023 | ███████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████ 4637 (32.3%)

2024 | ██████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████ 5065 (35.3%)

2025 | ██ 63 (0.4%)

5. OVERALL SUMMARY

--------------------

Total number of announcements: 14356

Date range: 2020-01-12 to 2025-01-09

Average announcements per day: 11.5

Commentary on the Announcement Time Analysis

The analysis reveals intriguing temporal patterns in activity, highlighting key hours, days, months, and years when dark web postings were made.

**However, PLEASE NOTE** - The time here is in British time, and limited to what Project Knapweed has been able to collect and isn't a true representation of the global landscape. However, it does give a good indication of the temporal patterns of activity with some known limitations.

Here’s a breakdown of the findings I observed:

Hourly Patterns

Key Observations:

Most Active Hour: 16:00 (1,117 attacks), indicating a significant spike in postings during late afternoon.

Least Active Hour: 05:00 (149 attacks), aligning with the typical quiet hours of the early morning.

Steady Peaks: Consistently high activity is observed during midday to evening (12:00–18:00), suggesting attackers operate during standard work hours in certain time zones.

Possible Explanations:

Attackers may be strategically targeting businesses during their operating hours to maximise disruption.

Evening activity may represent attackers working in different time zones or preparing for the following day.

Daily Patterns

Key Observations:

Most Active Day: Thursday (2,872 attacks, 20% of total), suggesting a strong mid-week focus for ransomware campaigns.

Least Active Day: Sunday (1,123 attacks, 7.8%), likely due to reduced activity in target organisations during the weekend.

Possible Explanations:

- Mid-week targeting aligns with organisations being fully operational, making them more susceptible to high-impact disruptions.

- Lower weekend activity could indicate attackers are taking advantage of reduced monitoring rather than launching new attacks.

Monthly Patterns

Key Observations:

Most Active Month: September (1,866 attacks, 13%), followed by November (1,551 attacks, 10.8%) and October (1,394 attacks, 9.7%).

- These months may coincide with seasonal business trends, financial reporting cycles, or heightened attacker operations.

Possible Explanations:

- Seasonal trends may drive attackers to exploit specific times when businesses are busy or less prepared (e.g., fiscal year-end, holiday seasons).

- Attack campaigns might ramp up in the fall, a period often associated with new malware developments after summer planning.

Yearly Trends

Possible Explanations:

- The sharp rise from 2020 to 2024 aligns with the increasing sophistication and prevalence of ransomware campaigns.

- Greater adoption of double-extortion tactics and targeting of critical infrastructure likely contributed to this surge.

- The decline in 2025 may be temporary or reflect evolving tactics, such as focusing on fewer but more targeted attacks.

Overall Summary

Total Attacks: 14,356 attacks over 5 years, averaging 11.5 attacks per day, highlighting the relentless nature of ransomware campaigns.

Attack Trends Over Time: The steady escalation of attacks underscores the increasing threat posed by ransomware actors, necessitating ongoing vigilance.

Insights and Implications

Operational Patterns:

- Attackers are likely leveraging business hours to maximise disruption and ransom payments.

- This trend calls for heightened monitoring and defenses during peak hours (12:00–18:00).

Temporal Campaigns:

- The focus on mid-week and fall months suggests campaigns are carefully planned, possibly to coincide with high-stress periods for targets.

Evolving Threat Landscape:

- The rapid growth in attacks over the years reflects the need for better international cooperation and stronger security measures to combat ransomware.

Conclusion

While this analysis provides valuable insights into activity during the specified period, it's important to note that it represents just one window into the broader global ransomware landscape. Nevertheless, the patterns and trends identified here offer meaningful indicators for understanding ransomware operations more generally.

Special acknowledgment goes to Project Knapweed, whose meticulous data collection and commitment to sharing threat intelligence made this analysis possible. Their work exemplifies the power of collaborative research in cybersecurity.

The technical implementation of this analysis was greatly facilitated by Cursor IDE, whose features streamlined the whole process. The developer's commitment to creating intuitive analytical tools deserves recognition.

Looking ahead, continued data collection and sharing by the cybersecurity community will be crucial for building an even more comprehensive understanding of ransomware evolution. I encourage interested readers to build upon this research and contribute their own analyses to our collective knowledge.

Thank you for engaging with this analysis. I trust these insights will strengthen your grasp of the ransomware threat landscape and contribute meaningfully to your cybersecurity strategy.