In September 2019, we started a dataset of Critical Infrastructures Ransomware Attacks (CIRAs). These are based on publicly disclosed incidents in the media or security reports. This dataset (version 12.5) now has 1,354 records assembled from publicly disclosed incidents between November 2013 and November 30, 2022, and has been mapped to the MITRE ATT&CK Framework. To date, we have fulfilled 1,330 requests.
To learn how we developed the CIRA dataset in greater detail, you can read our paper: Rege, A. & Bleiman, R.(2022) . “A Free and Community-driven Critical Infrastructure Ransomware Dataset”. Proceedings from the IEEE Cyber Science Conference.
This is a FREE resource that you can request. Please note that we do NOT send the dataset to a personal email (gmail, protonmail, hotmail, etc.). Allow 2-4 weeks for us to respond to your request.
This dataset is free and accessible to the community. It can be used for educational/training purposes, conducting your own analysis/threat intel, sharing with stakeholders, etc. This limited license for the use of the dataset does not include commercial or for-profit purposes. Please do NOT use/share this dataset to develop commercial products/services/software that others have to pay for!
If you use the dataset, in whole or in part, for any analysis, publication, presentation, or any other dissemination (including social media), you agree to cite this dataset in your reference list as:
Rege, A. (2022). “Critical Infrastructure Ransomware Attacks (CIRA) Dataset”. Version 12.5. Temple University. Online at https://sites.temple.edu/care/cira/. Funded by National Science Foundation CAREER Award #1453040. ORCID: 0000-0002-6396-1066.
By using this dataset you agree that all copyright and/or other proprietary notices on these materials must be kept intact and may not be removed.
Our dataset was featured in Security Week, Gartner, BRINK, Security Magazine, SentinelOne, Bleeping Computer, Dark Reading, Cyber Peace Institute, the Washington Post, Bloomberg, USA Today, Institute for New Economic Thinking, The Dallas Morning News, Business Insider, California News Times, Financial Times, CIO Dive, and eSecurity Planet!
Want to submit a CIRA? Your contribution, if relevant, will be added to this dataset!
|Summary Findings (2013-current)
Most targeted CI: Government facilities
Most common RW strain: Maze
Most typical duration of RWAs: 1 week or less
Most typical ransom amount demanded: USD 50,000 or less
Download the 1-page summary
|Who has requested our repository?
We have had download requests from government, industry, researchers, media, faculty, graduate and undergraduate students
Check out these fantastic resources for ICS security.