{
	"id": "65053ac0-68a8-4128-a0fe-d468c4931d36",
	"created_at": "2026-04-06T00:18:25.427386Z",
	"updated_at": "2026-04-10T03:21:38.898726Z",
	"deleted_at": null,
	"sha1_hash": "e4045a0b663eaba6bdf1001b87ca47d374e6e3c6",
	"title": "Ransomware and Data Leak Site Publication Time Analysis",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 220772,
	"plain_text": "Ransomware and Data Leak Site Publication Time Analysis\r\nPublished: 2021-04-25 · Archived: 2026-04-05 21:33:19 UTC\r\nRansomware – the threat that breaches a victim network, steals data, encrypts local systems and\r\npublished the stolen data\r\n– (image by mohamed_hassan)\r\nRansomware\r\nWhat was once a threat to every internet user due to the wide-spread nature of campaigns – infect as many devices\r\nas possible, extort for a small ransom – has turned into a multi-million dollar payment game. Ransomware\r\noperators are now playing in the big league. Ransom demands in the $50M range have now been seen several\r\ntimes, payments in the tens of millions are not unheard of.\r\nFor the past year I have been monitoring ransomware and data leak sites. What initially started as a website\r\nrefresh several times a day has turned into a fully automated system that tracks 20+ leak sites, browses all listing\r\npages, extracts victim name, publication date and some other details, parses the output, compares it to the last run\r\nand notifies subscribers of the newly listed victim.\r\nAn interesting output of this project is the fact that the sites are monitored 24 hours a day, 7 days a week. This\r\nallows me gain to interesting insight when ransomware operators are working by publishing victim data. Yes, I\r\nbelieve some data leak systems are automated and no human is pushing a button, but for some leak sites you can\r\nidentify patterns of working hours.\r\nFor the below analysis I reviewed the data between December 2020 and April 2021 from leak sites with more than\r\n35 new victims listed. the following nine ransomware and leak sites made it into the analysis:\r\nhttps://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/\r\nPage 1 of 5\n\nName Victim Count\r\nAvaddon 107\r\nBABUK 51\r\nCL0P 42\r\nConti 192\r\nDarkSide 126\r\nDoppelPaymer 71\r\nNefilim 36\r\nPYSA 135\r\nREvil 107\r\nTotal 867\r\nTable: Ransomware and data leak site victims (December 2020 to April, 2021)\r\nThe first interesting observation that stands out, is that PYSA has four slots, in which they publish their victims.\r\nThe vast number of victims are listed in the hour starting at 00:00 UTC and 11:00 UTC. Only a handful of victims\r\nare added after 06:00 UTC and after 15:00 UTC. I can say with high confidence that this is likely the result of\r\nautomation on their end. This is also supported by the observation that PYSA leaks many victims at the same time,\r\nin one go.\r\nAlmost the opposite can be seen by looking at the publication times of Conti. The operators behind this leak site\r\nspread publication across the full day, with increased publications in the hours of 08:00 UTC, 09:00 UTC and\r\n22:00 UTC.\r\nFor some other leak sites you can see some down-time, off-work hours. In my opinion, CL0P is a great example\r\nof this behaviour. No new victims were listed between 01:00 and 10:00 UTC, the night time in Europe and\r\nneighbouring countries.\r\nEnough pre-text, here is the output table:\r\nTable showing publication hours of data leak sites (initial victim posting hour only)\r\nhttps://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/\r\nPage 2 of 5\n\nAvadon Babuk CL0P Conti\r\nDarkside DoppelPaymer Nefilim\r\nPYSA REvil\r\n00:00 UTC\r\n02:00 UTC\r\n04:00 UTC\r\n06:00 UTC\r\n08:00 UTC\r\n10:00 UTC\r\n12:00 UTC\r\n14:00 UTC\r\n16:00 UTC\r\n18:00 UTC\r\n20:00 UTC\r\n22:00 UTC\r\n0\r\n20\r\n40\r\n60\r\n80\r\n100\r\n120\r\n140\r\nName Avadon Babuk CL0P Conti Darkside DoppelPaymer Nefilim PYSA REvil\r\n00:00\r\nUTC\r\n9 0 1 3 2 0 0 50 1\r\n01:00\r\nUTC\r\n5 5 0 6 0 0 0 0 0\r\n02:00\r\nUTC\r\n15 0 0 1 2 1 0 0 0\r\n03:00\r\nUTC\r\n14 0 0 5 0 0 1 0 2\r\n04:00\r\nUTC\r\n2 0 0 0 2 0 0 0 1\r\nhttps://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/\r\nPage 3 of 5\n\nName Avadon Babuk CL0P Conti Darkside DoppelPaymer Nefilim PYSA REvil\r\n05:00\r\nUTC\r\n0 0 0 2 2 9 0 0 1\r\n06:00\r\nUTC\r\n0 0 0 1 2 1 0 8 4\r\n07:00\r\nUTC\r\n0 0 0 2 3 7 2 0 16\r\n08:00\r\nUTC\r\n0 1 0 16 1 0 3 0 3\r\n09:00\r\nUTC\r\n0 2 0 21 3 3 3 0 7\r\n10:00\r\nUTC\r\n0 3 3 8 3 0 1 0 7\r\n11:00\r\nUTC\r\n17 10 4 8 4 3 1 69 11\r\n12:00\r\nUTC\r\n0 2 5 4 5 1 3 0 3\r\n13:00\r\nUTC\r\n4 3 6 12 3 8 2 0 5\r\n14:00\r\nUTC\r\n8 2 11 12 12 8 1 0 3\r\n15:00\r\nUTC\r\n10 9 5 14 8 15 1 8 7\r\n16:00\r\nUTC\r\n4 2 2 7 8 7 2 0 10\r\n17:00\r\nUTC\r\n2 6 2 5 43 2 1 0 3\r\n18:00\r\nUTC\r\n4 0 0 7 3 1 1 0 9\r\n19:00\r\nUTC\r\n4 1 0 10 4 3 1 0 2\r\nhttps://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/\r\nPage 4 of 5\n\nName Avadon Babuk CL0P Conti Darkside DoppelPaymer Nefilim PYSA REvil\r\n20:00\r\nUTC\r\n2 3 1 2 3 0 2 0 6\r\n21:00\r\nUTC\r\n0 0 1 11 4 1 4 0 1\r\n22:00\r\nUTC\r\n2 0 1 30 5 1 6 0 2\r\n23:00\r\nUTC\r\n5 2 0 5 4 0 1 0 3\r\nThe list above contains publications on any given day of a week. If you want to look at the data only for working\r\ndays, see the screenshot below:\r\nTable showing publication hours of data leak sites (Monday – Friday)\r\nAnd for publications only on a weekend, this is it. You can see that three groups (CL0P, DoppelPaymer and\r\nPYSA) do not publish victims on a weekend, as they are missing in the table.\r\nTable showing publication hours of data leak sites (Saturday and Sunday)\r\nWhat are your take-aways? Agreeing or disagreeing with my assessment? Do see a different pattern that you want\r\nto discuss? Let me know, I am very interested in seeing your views on this.\r\nSource: https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/\r\nhttps://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/"
	],
	"report_names": [
		"ransomware-and-date-leak-site-publication-time-analysis"
	],
	"threat_actors": [],
	"ts_created_at": 1775434705,
	"ts_updated_at": 1775791298,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e4045a0b663eaba6bdf1001b87ca47d374e6e3c6.pdf",
		"text": "https://archive.orkl.eu/e4045a0b663eaba6bdf1001b87ca47d374e6e3c6.txt",
		"img": "https://archive.orkl.eu/e4045a0b663eaba6bdf1001b87ca47d374e6e3c6.jpg"
	}
}