Darkfield indexes every ransomware victim disclosure that appears on a public leak site, plus aggregator feeds (RansomLook, RansomWatch, ransomware.live) we cross-check daily. At the time of writing the corpus holds 38,199 disclosures spanning roughly four years of operator activity.
38,199
public ransomware victim disclosures in the Darkfield corpus, across 470 distinct operator brands
Live count: /victims
Most reporting on ransomware treats the threat as opportunistic: spray broadly, hit whoever pays. The corpus argues the opposite. Operators specialise. Targeting follows readable patterns of sector, geography, and (where we can infer it) revenue band. This piece walks through three of the clearer ones.
1. The top operators concentrate the activity
Despite 470 distinct operator brands in the corpus, the top 10 produce something like 60% of all disclosures. The shape is power-law, not uniform.
That concentration matters because it means a defender watching only the top-10 brands captures the bulk of the risk — but the long tail still contains the specialists who run sector-targeted campaigns. The next chart shows that specialisation isn't accidental.
2. Sector specialisation is real, and it tightens over time
Browse the per-operator pages on Groupsand a pattern repeats: a given operator's top sector typically accounts for 25–40% of their claimed victims — not the ~10–14% you'd expect if targeting were random across the 30 sector codes we track.
Three structural reasons for the specialisation:
- Toolchain fit. Affiliates of a given ransomware-as-a-service operator tend to share a toolset. That toolset gets tuned over time to a small set of environments (Windows shops vs. Linux shops, vSphere vs. Hyper-V), which biases sector outcomes.
- Negotiation know-how.Operators that learn how a hospital chain's board actually decides to pay get materially better extraction. They reuse that institutional knowledge.
- Sanctions geometry.Some operators avoid certain sectors (US critical infrastructure, especially after Colonial Pipeline) not because they can't reach them but because the OFAC heat is bad for business. See /sectors for the inverse of that map.
3. Geography is mostly accidental — until it isn't
Country-level distribution looks economically unsurprising at first glance: the US dominates, Western Europe is a strong second, the rest follows GDP. That part isn't targeting — it's where the digital surface area lives.
The interesting signal is in the deviations: countries that appear materially less than their share of global IT spend would predict. Russia and the CIS states are the textbook example (operators of Russian-language origin almost universally avoid them — exclusion is built into the affiliate rulebooks). But there are also less-discussed unders: certain Latin-American markets where the macroeconomics of ransom payment in local currency make attacks structurally unprofitable, and a few small-economy EU members where data-protection enforcement appears to deter follow-through.
4. Revenue band: the mid-market gets the worst deal
Where we can match a victim to revenue band (via the AI enrichment we run on every disclosure that includes a company URL — see the canonical name and revenue inference on any victim dossier), the distribution skews heavily toward the $10M–$500M revenue bracket.
Mid-market organisations sit in an unfortunate sweet spot: big enough that disruption costs them real money, small enough that they don't have a dedicated security function, often have cyber insurance but not strong backup/restore practice, and rarely have the political weight to coordinate with a national CSIRT for negotiation support.
< $10M
below this, ransom math stops working for the operator
$10–500M
the sweet spot — 76% of the corpus
> $1B
in-house IR + OFAC-aware legal + 'never pay' boards → operators move on
What we don't see — and how to read it
Three categories of attack are systematically under-counted in the leak-site dataset. Worth naming so you don't mis-read the picture:
| Hidden segment | Why we don't see it | Plausible scale |
|---|---|---|
| Operators that don't leak | A handful of newer crews exfil but skip the public-shaming phase, betting on direct extortion. | Estimated 5–10% of attacks; growing |
| Pre-payment suppressions | Victims who paid before the operator chose to list them — never reach a leak post. | 30–50% of the visible total (industry IR estimates) |
| State-aligned campaigns | DPRK and Chinese operations occasionally use ransomware as cover for espionage — rarely publish. | Small in count, outsize in impact |
Use the data
Every chart in this article is generated live from the underlying corpus — refresh the page and the bars move. The full surface lives on the public pages: per-group history on Groups, per-sector and per-country breakdowns on Sectors and Countries, the full 38k disclosure list on Victims. Every page has a permanent URL you can cite — that's the point of the observatory.