This document discusses tracking ransomware through digital footprints. It describes prominent ransomware variants like CryptoLocker, TorrentLocker, Alpha/TeslaCrypt and CryptoWall. It outlines how ransomware infects systems through phishing, compromised domains or malvertising. Ransomware uses geolocation calls and command and control exchanges. Services like Malwr.com and Virustotal.com can be used to identify related domains and track ransomware activity. Training systems to identify previously seen ransomware domains can help block future infections.