Enhancements to Ransomware Intelligence and Transition Guide

Updated

Overview

We are continuously improving how ransomware intelligence is delivered, with a focus on making insights more dynamic, contextual, and easier to act on.

As part of this evolution, we are expanding AI-driven and conversational capabilities while enhancing existing workflows that customers rely on today. These improvements are designed to help teams move faster from insight to action and better understand ransomware risk across their organization, industry, and ecosystem.

As part of this broader evolution, the Ransomware Risk Profile will be retired on July 1st.

What’s Improving

This update reflects a shift toward a more flexible and comprehensive approach to ransomware intelligence.

Instead of relying on a single, static view, customers can now:

  • Explore ransomware activity from multiple perspectives
  • Access continuously updated intelligence based on real-world activity
  • Tailor analysis using Watch Lists and filters aligned to their organization
  • Investigate both strategic trends and specific incidents in depth
  • Leverage AI-driven capabilities to accelerate exploration and decision-making

These enhancements provide greater flexibility and allow teams to adapt workflows based on their specific needs.

Core Capabilities

Ransomware Global Landscape

The Ransomware Global Landscape is available within the Ransomware Dashboard (accessible via Dashboards in the left-side navigation). It provides a strategic overview of ransomware activity while enabling deeper analysis of victims and trends.

This capability is powered by Recorded Future’s tracking of ransomware victims and includes:

  • Top Ransomware Groups based on number of attacks
  • Most Affected Industries and Countries with trend comparisons over time
  • Ransomware Group Trends based on ongoing tracking and reporting
  • MITRE ATT&CK Matrix mapping ransomware-related techniques
  • Targeted Vulnerabilities associated with ransomware groups

Advanced Filtering and Customization

The dashboard includes a set of master filters that allow you to tailor analysis to your environment:

  • Watch Lists (Tech Stack, Third-Party, Vulnerability)
  • Ransomware Groups
  • TTPs
  • Industries
  • Countries
  • Victims
  • Vulnerabilities
  • Time period selection

Using Watch Lists, you can:

  • Identify organizations and technologies in your environment impacted by ransomware
  • Understand which vulnerabilities in your ecosystem are being targeted
  • Highlight potential exposure to future ransomware activity

Key Use Cases

  • Understanding macro ransomware trends
  • Identifying high-risk industries, regions, or technologies
  • Monitoring activity relevant to your organization or supply chain
  • Exploring relationships between ransomware groups, victims, and vulnerabilities

Learn more: https://support.recordedfuture.com/hc/en-us/articles/17755803051795-Ransomware-Global-Landscape

Ransomware Victimology

The Ransomware Victimology view provides detailed visibility into publicly known ransomware victims based on Recorded Future’s analysis of ransomware group activity and dark web sources.

You can access it directly via the Ransomware Dashboard or by pivoting from the Global Landscape.

Core Data Included

  • Victim name and domain
  • Associated ransomware group
  • First post date and leak date (if available)
  • Industry and country

Deep Investigation Capabilities

For incidents with available data, Victimology enables deeper analysis through:

  • Leaked File Paths
    Metadata for files exposed during ransomware incidents
  • Discovered Brands
    Identification of third-party organizations referenced in leaked data
  • Potential Secrets Exposed
    File paths that may contain sensitive information such as credentials

Search and Analysis

  • Global search across all victims and metadata
  • Keyword search across file path data
  • Ability to combine victim and keyword searches
  • Filtering options such as “Leaked Incidents Only” and “Curated Only”

Additional Capabilities

  • Pivot to ransomware group profiles for deeper threat actor context
  • Safely access extortion site content via the Recorded Future Sandbox
  • Export data for further analysis

Key Use Cases

  • Tracking specific ransomware incidents
  • Investigating potential exposure (direct or indirect)
  • Identifying supply chain risk through discovered brands
  • Supporting incident response and reporting

Learn more: https://support.recordedfuture.com/hc/en-us/articles/34165784794131-Ransomware-Victimology

Intelligence Card: Ransomware Profiles

Ransomware Profiles provide detailed intelligence on specific ransomware groups through Intelligence Cards.

These profiles include:

  • Background and evolution of the group
  • Tactics, techniques, and procedures (TTPs)
  • Targeting patterns and victim profiles
  • Operational behavior and trends

Key Use Cases

  • Investigating specific threat actors
  • Supporting threat hunting and response
  • Understanding attacker behavior and evolution

Learn more: https://support.recordedfuture.com/hc/en-us/articles/34074727857427-Ransomware-Profile-Supported-Ransomware-Groups

AI-Driven Reporting and Conversational Capabilities

AI-driven capabilities provide more flexible ways to explore ransomware intelligence and complement structured workflows.

These capabilities enable you to:

  • Ask natural language questions about ransomware activity
  • Generate tailored insights aligned to your organization’s priorities
  • Quickly explore relationships across datasets
  • Accelerate investigation and analysis workflows

Key Use Cases

  • Ad hoc analysis
  • Rapid investigation and hypothesis testing
  • Exploring connections across ransomware data

Learn more: https://support.recordedfuture.com/hc/en-us/articles/34165892422419-Recorded-Future-AI-Reporting

Mapping Common Workflows

If you are currently using the Ransomware Risk Profile, you can continue your workflows using a combination of the following capabilities:

  • Monitoring ransomware risk to your organization
    Use Watch List filtering in Global Landscape combined with AI-driven exploration
  • Tracking ransomware activity and trends
    Use Ransomware Global Landscape
  • Investigating specific incidents or victims
    Use Ransomware Victimology
  • Analyzing ransomware groups and behavior
    Use Ransomware Profiles
  • Exploring exposure through leaked data and third-party risk
    Use Victimology analytics such as Discovered Brands and Potential Secrets

This flexible approach allows you to adapt workflows based on your needs rather than relying on a single predefined view.

Timeline

  • June 1st – An in-product deprecation notice will appear
  • July 1st – Ransomware Risk Profile will be retired

Transition and Support

We are committed to making this transition smooth and ensuring continuity in your workflows.

  • Customer-facing teams can help map these capabilities to your workflows
  • For high-usage customers, proactive outreach and guidance are provided

If you have questions or would like support in adapting your workflows, please reach out to your Recorded Future representative.

This content is confidential. Do not distribute or download content in a manner that violates your Recorded Future license agreement. Sharing this content outside of licensed Recorded Future users constitutes a breach of the terms and/or agreement and shall be considered a breach by your organization.
Was this article helpful?
0 out of 0 found this helpful

Articles in this section