Analyzing Concentration, Temporal Routines and Targeting in Public Ransomware Leak Site Data

Computer Science > Cryptography and Security [Submitted on 23 May 2026] Analyzing Concentration, Temporal Routines and Targeting in Public Ransomware Leak Site Data Lea Müller (1 and 2), York Yannikos (1 and 2) ((1) Fraunhofer Institute for Secure Information Technology, (2) National Research Center for Applied Cybersecurity ATHENE) Ransomware has grown to become one of the most damaging types of cybercrime, affecting private and public organizations in any sector. While early types of ransomware targeted many victims via automated attacks, ransomware groups have started to specifically target organizations and companies in the expectation of receiving larger ransoms. To increase the pressure on victims, most groups host so-called data leak sites, where information about their victims is made public. The shift towards 'human-operated' ransomware together with easily accessible behavioral traces available from data leak sites makes research investigating operational regularities of ransomware groups of interest. Using leak site posts as behavioral traces of ransomware groups, we created a dataset consisting of over 27,000 posts from 325 groups. Based on this dataset, we analyzed victim concentration, temporal routines and targeting regularities. Our findings suggest that groups do not behave entirely random. Instead, the observable traces found on leak sites show concentration of activity, temporal routines and selective patterns. Comments: 17 pages, 5 figures Subjects: Cryptography and Security (cs.CR) Cite as: arXiv:2605.24559 [cs.CR]   (or arXiv:2605.24559v1 [cs.CR] for this version)   https://doi.org/10.48550/arXiv.2605.24559 Focus to learn more Submission history From: Lea Müller [view email] [v1] Sat, 23 May 2026 12:50:53 UTC (53 KB) Access Paper: HTML (experimental) view license Current browse context: cs.CR < prev   |   next > new | recent | 2026-05 Change to browse by: cs References & Citations NASA ADS Google Scholar Semantic Scholar Export BibTeX Citation Bookmark Bibliographic Tools Bibliographic and Citation Tools Bibliographic Explorer Toggle Bibliographic Explorer (What is the Explorer?) Connected Papers Toggle Connected Papers (What is Connected Papers?) Litmaps Toggle Litmaps (What is Litmaps?) scite.ai Toggle scite Smart Citations (What are Smart Citations?) Code, Data, Media Demos Related Papers About arXivLabs Which authors of this paper are endorsers? | Disable MathJax (What is MathJax?)