The CyberPeace Institute is pleased to announce its participation in the ENSEMBLE (Enhanced AI-based cybercrime-oriented collaborative investigation technologies and capabilities) European Horizon Project. This project began in November 2024 and will continue until late 2027. As part of Ensemble, CyberPeace is helping to develop an AI tool to enhance Law Enforcement Agencies’ (LEAs) investigations and combat cybercrime. This will include the development of use case scenarios to better prepare individuals and organisations against sophisticated cyberattacks.
Parallel to the ongoing work for ENSEMBLE, the Institute has also published research into ransomware threat actors conducting cyberattacks. In this report, CyberPeace Institute researchers collected and analysed data from 290 threat actors and over 2,000 ransomware incidents from the past 5 years. The research focused on understanding the geographical connections of these threat actors, the infrastructure they use, and the organizations they target.
Some key points from the report include the following:
- Out of all 2753 analysed ransomware incidents, 821 were against organizations operating in the healthcare sector in 51 countries, conducted between 2020 and 2025. Healthcare organizations in the US were targeted the most (506), followed by France (45), Australia (27), United Kingdom and Italy (23 each), and Canada (22).
- The five most active threat actors conducting ransomware attacks against healthcare organizations were LockBit (65), Hive and Conti (29 each), Pysa (28), BlackCat (27), and Vice Society (19).
- Of all researched threat actors, 122 threat actors (42%) lack sufficient evidence for assessment; the remaining 168 are connected to 40 countries, with with 67% (112 of 168) assessed, with a varying degree of confidence, to be connected to the Russian Federation, 8% (13 of 168) to Iran and 5% (8 of 168) to China. These connections vary in confidence and do not imply state affiliation.
- Infrastructure analysis was conducted on a sample of 1,157 IPs, 312 netblocks, and infrastructure in 60 countries reveal concentration, provider recurrence, and shared IP reuse. Data was enriched using historical DNS, WHOIS, ASN records, and cross-checks via VirusTotal, BGP tools, and researcher comments.
- Findings indicate that certain providers are highly likely to be favored by ransomware threat actors. Infrastructure from one provider was used by six of the 24 threat actors, while the next two were each used by five threat actors.
The full report can be found here.
Data Flow into Ensemble
The data collected for the ransomware report will play a specific role in ENSEMBLE by helping to create synthetic data that will be used to train AI models. Alongside synthetic data generation, the Institute is also developing an AI tool designed to extract entities from multimedia content using multimodal large language models (LLMs). This tool will enable the extraction of key information relevant to cybercrime investigations and present the results in JSON format. This is an important step within ENSEMBLE, as the CyberPeace Institute and its partners are also providing data that will feed ransomware-related use case scenarios. These scenarios will include a range of situations designed to improve the platform’s ability to address cybercrime effectively.
Written by CyberPeace Institute
