Expert knowledge from the frontlines of ransomware defense. Industry leaders share actionable intelligence, novel workflows, and cutting-edge research to help you stay ahead of threats.
Expert research and analysis from the frontlines
A 0-day BYOVD vulnerability in dragoncore_k.sys signed by Zhengzhou 403 Network Technology, with shell company analysis, Dragon Breath APT-Q-27 attribution, and an APT31 / Wuhan Xiaoruizhi personnel nexus.
Alex Necula & Ellis Stannard
April 22, 2026
+3 contributors
An extortion-minded threat actor known as 0APT breached the Krybit ransomware admin panel — and within hours was counter-hacked by Krybit. A look inside both operations, the chat transcript, and the recovered Android-hosted infrastructure.
Corsin Camichel, Dani [Varys] Z, Ellis Stannard, Eric Taylor, Katya Kandratovich
April 14, 2026
A Unified Threat Advisory on Iran-linked hackers targeting small U.S. East Coast water utilities via Eclipse 9800i PLCs, and technical details of the TRK25-ADVANCED Python GUI ICS reconnaissance and exfiltration tool.
Reyben Cortes
April 9, 2026
+4 contributors
A threat advisory covering TeamPCP’s multi-stage supply chain campaign through Trivy, npm, LiteLLM, Telnyx, and Axios — with 11 prioritised defensive recommendations for organisations of all sizes.
Ransom-ISAC Research Team
April 3, 2026
+12 contributors
A deep-dive technical reference for SOC teams and threat hunters covering BYOVD attack analysis, kernel driver reverse engineering, KQL detection queries, and defensive hardening with WDAC policies.
Alex Necula
April 3, 2026
+3 contributors
A DPRK-affiliated social engineering campaign weaponises VS Code trusted features to deliver RATs through fake job interviews, with full attack chain analysis, malware breakdown, infrastructure tracking, and IOCs.
François-Julien Alcaraz & Yashraj Solanki
March 16, 2026
+3 contributors
Complete DFIR analysis of VEN0m ransomware including BYOVD attack chain, 42 behavioral detection queries, MITRE ATT&CK mapping, and trivially recoverable encryption key from a single open-source Rust binary.
Eric Taylor
February 26, 2026
+4 contributors
A case study exploring how deeper insight emerges when analysis moves beyond high-level sector classifications on Dedicated Leak Sites and instead focuses on the specific subsectors within which entities operate.
Jeffrey Bell
February 19, 2026
+3 contributors
A structured intelligence workflow for ransomware leak data collection and LLM-assisted analysis, from automated Tor-based collection to agentic reasoning and intelligence dissemination.
Apurv Singh Gautam
February 6, 2026
+4 contributors
An ethical and reproducible HUMINT-style workflow for safely observing ransomware affiliates using synthetic personas, tactical empathy, and rigorous operational security.
Matthew Maynard
December 29, 2025
+5 contributors
Follow the money through on-chain analysis, tracing stolen funds across BSC and TRON blockchains and connecting wallet addresses directly to other DPRK exchange thefts. Blockchain forensic evidence ties this campaign to a broader pattern of North Korean cryptocurrency operations.
Nick Smart and Andrii Sovershennyi
December 8, 2025
+4 contributors
Deep dive into the adversary infrastructure, operational security measures, and attribution analysis of the DPRK-linked campaign, revealing infrastructure fingerprints, C2 clusters, and connections to known threat groups.
Yashraj Solanki
November 13, 2025
+4 contributors
Detailed analysis of the DEV#POPPER.js RAT and OmniStealer malware used in the sophisticated cross-chain attack campaign, revealing the complete kill chain from initial compromise through data exfiltration.
Ellis Stannard
October 27, 2025
+6 contributors
Deep dive into a sophisticated DPRK-linked attack campaign using novel Cross-Chain TxDataHiding techniques to create takedown-proof C2 infrastructure across TRON, Aptos, and BSC blockchains.
Ellis Stannard
October 20, 2025
+5 contributors
We're building a community of ransomware defense experts. If you have unique insights, novel workflows, or cutting-edge research to share, we want to hear from you.
Email us at [email protected]
Partner with Ransom-ISAC to access high-quality threat intelligence and connect with defenders worldwide.