In the ever-evolving battle against cybercrime, knowledge is the ultimate weapon. Cyber defenders need to rely on trustworthy threat intelligence to provide the best response. Enter Ransomware.live, a website that has become a beacon of real-time intelligence for law enforcement, cybersecurity professionals and beyond. Founded by Julien Mousqueton, Ransomware.live is shedding light on the shadowy world of ransomware attacks, one data point at a time.

Mousqueton, CTO for Cybersecurity at Computacenter, started Ransomware.live in 2021 as a tool for himself and a few colleagues before realizing he could build the ‘Wikipedia for ransomware.’ His website is now used by millions of people across the world, including government and law enforcement agencies. It also serves as a tool to show that cybersecurity is for everyone and bust some cyber-myths. Infosecurity asked Mousqueton to reveal his secret sauce which involves a €10pcm server, some homemade scripts and OpenAI’s ChatGPT. Infosecurity Magazine: When and why did you start Ransomware.live? Julien Mousqueton: In 2021, many of Computacenter's customers started to get hit by ransomware attacks. Additionally, I was tired of hearing from security vendors claiming to experience a new cyber-attack every 11 seconds, which means nothing to me. Are they referring to intrusion attempts or actual cyber-attacks? I wanted to investigate the ransomware threat using accurate, tangible data. I quickly realized that most ransomware groups used websites on the clear and dark web to make their victims public. I started creating a simple script to collect this information and send it to colleagues and peers through a Slack channel and then through Microsoft Teams. In 2022, I discovered Ransomwatch, a website developed by New Zealand-based Josh Highet, collecting information similar to what I had done. I used his work to build my own website, but I quickly decided I wanted to add more information, such as screenshots of ransomware claims or victim descriptions. Similar websites like Ransomfeed or RansomLook were also built from Highet's work.

"The website's primary goal is to raise awareness about ransomware threats for people within and outside the cybersecurity industry."

In the summer of 2024, I rewrote the data-collecting script, gave my website's front end a complete makeover and added additional information. This new version was a way for me to distinguish myself from the competition, but it was also in response to suggestions and requests from government and law enforcement agencies. Now, approximately 80% of the website's code is my doing. IM: Who is your website for and what can be found there? JM: Today, on Ransomware.live, you will find the following information: Real-time data on the ransomware claim: every new ransomware claim, the name of the ransomware group, a screenshot of the claim when available, the name of the claimed victim, the discovery date, an estimated attack date when available

Contextual data on the claimed victim: a short description of the organization, its sector, the country it is located in, a link to its main website, infostealer data

Contextual data on ransomware groups: techniques, tactics and procedures (TTPs) and YARA rules

Links to press articles reporting ransomware attacks

Screenshots of ransom notes and negotiation chats when available

Statistics on ransomware groups and ransomware victims My idea was to build the "Wikipedia for ransomware," but purely based on my own needs.

Ransomware.live homepage

The website's primary goal is to raise awareness about ransomware threats for people within and outside the cybersecurity industry. What makes me proud is when people use my website to show that cybersecurity is for everyone and bust some myths about cyber-attacks. For instance, I was pleased to see that a security vendor recently used screenshots from Ransomware.live to show its clients that small companies were also hit by ransomware attacks. Additionally, I have received feedback from the Dutch National Police, Quebec's Ministry of Cybersecurity and the Digital Economy. I have also heard from people in the industry that people at the French Ministry of the Interior, at some cyber departments within the French Army or France's Healthcare Computer Emergency and Response Team (CERT Santé) use Ransomware.live.

"I believe that providing raw information should be free."