This study systematically analyzes over 27,000 posts published by 325 ransomware groups on data leak sites, uncovering non-random behavioral patterns in victim industry distribution, attack timing, and operational intensity. Departing from traditional malware-sample-based approaches, this work pioneers the large-scale use of publicly accessible leak sites as a source of behavioral traces, employing temporal analysis and statistical modeling to structurally mine textual data. The findings reveal pronounced concentration and repetitiveness in group activities, offering empirical grounding and a novel methodological framework for predicting ransomware attacks and enabling proactive defense strategies.

Ransomware has grown to become one of the most damaging types of cybercrime, affecting private and public organizations in any sector. While early types of ransomware targeted many victims via automated attacks, ransomware groups have started to specifically target organizations and companies in the expectation of receiving larger ransoms. To increase the pressure on victims, most groups host so-called data leak sites, where information about their victims is made public. The shift towards 'human-operated' ransomware together with easily accessible behavioral traces available from data leak sites makes research investigating operational regularities of ransomware groups of interest. Using leak site posts as behavioral traces of ransomware groups, we created a dataset consisting of over 27,000 posts from 325 groups. Based on this dataset, we analyzed victim concentration, temporal routines and targeting regularities. Our findings suggest that groups do not behave entirely random. Instead, the observable traces found on leak sites show concentration of activity, temporal routines and selective patterns.