diff --git a/README.md b/README.md
index ef2c0252..11327fa3 100644
--- a/README.md
+++ b/README.md
@@ -19,6 +19,7 @@ to localized information (which is not shared) or additional information (that c
 - [clusters/exploit-kit.json](clusters/exploit-kit.json) - Exploit-Kit is an enumeration of some exploitation kits used by adversaries. The list includes document, browser and router exploit kits. It's not meant to be totally exhaustive but aim at covering the most seen in the past 5 years.
 - [clusters/microsoft-activity-group.json](clusters/microsoft-activity-group.json) - Activity groups as described by Microsoft.
 - [clusters/preventive-measure.json](clusters/preventive-measure.json) - Preventive measures.
+- [clusters/ransomware.json](clusters/ransomware.json) - Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml
 - [clusters/tds.json](clusters/tds.json) - TDS is a list of Traffic Direction System used by adversaries.
 - [clusters/threat-actor.json](clusters/threat-actor.json) - Adversary groups - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. MISP
 - [clusters/tool.json](clusters/tool.json) - tool is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.
diff --git a/galaxies/ransomware.json b/galaxies/ransomware.json
new file mode 100644
index 00000000..f8e04a3a
--- /dev/null
+++ b/galaxies/ransomware.json
@@ -0,0 +1,7 @@
+{
+  "description": "Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml",
+  "type": "ransomware",
+  "version": 1,
+  "name": "Ransomware",
+  "uuid": "3f44af2e-1480-4b6b-9aa8-f9bb21341078"
+}