This report is based on a comprehensive database that was collected from the websites of 21 ransomware groups. These groups were involved in exfiltrating data from a total of1,112 companies, located in 63 countries. We focused on ransomware activity that occurred during 2020, when the ransomware groups started to publish stolen data on their dedicated platforms. As will be elaborated below, the collection of data, its analysis and classification has been done manually. We selected the groups based on the frequency of cyber threat intelligence published on the Dark Web and included updated links to websites of current and new active groups. The manual collection of data stolen by the ransomware groups involved accessing all their websites, which are mostly located in the Darknet. A few of the websites were inaccessible or have been taken down and we used different tools to successfully access their archived Darknet pages. This unique combination of manual and automated data gathering, provided a comprehensive picture of all relevant groups, including ones that stopped their activity during 2020, for example, “Maze”. Following the collection of all the victims’ details from the ransomware groups’ websites, we analyzed the data by checking each victim and verifying the accuracy of the information published by the cybercriminals. This process was necessary, as some groups published inaccurate names and some only published the URL of the victim’s website. We took the analysis a step further by classifying each victim by country and industry. While some groups published the location of their victims, not all of them did. This required manually finding out and verifying the headquarters or head offices of the victims. With regards to industry classification, we used 18 key industries (see appendix A). In addition, as some groups published their activity online, we were able to build a timeline of publication dates that helped us to shed some more light on the timing of the attacks. 1.1 METHODOLOGY 1.2 DATA COLLECTION 1.3 ANALYSIS AND CLASSIFICATION 5 | The Ransomware Landscape