/ransomwatch

a ransomware-group observatory 🧅👹

Primary LanguageHTMLThe UnlicenseUnlicense

ransomwatch pylint analysis ransomwatch engine ransomwatch dockerimage builder ransomwatch codeql analysis

missing a group ? try the issue template

looking for historical data? check ransomwatch-history

this repository leverages github actions & pages to visit, parse & report on monitored hosts in near-realtime.

curl -sL ransomwhat.telemetry.ltd/posts | jq
curl -sL ransomwhat.telemetry.ltd/groups | jq

⚠️

content within ransomwatch.telemetry.ltd, posts.json, groups.json and the docs/ & source/ directories is dynamically generated based on hosting choices of real-world threat actors in near-real-time.

whilst sanitisation efforts have been taken, by viewing or accessing ransomwatch you acknowledge you are doing so at your own risk


technicals

the torproxy from my gotham registry is introduced into the github actions workflow as a service container to allow onion routing within ransomwatch.yml

where possible psf/requests is used to fetch source html. if a javascript engine is required to render the dom mozilla/geckodriver and seleniumhq/selenium are invoked.

the frontend is ultimatley markdown, generated with markdown.py and served with docsifyjs/docsify thanks to pages.github.com

any graphs or visualisations are generated with plotting.py with the help of matplotlib/matplotlib

post indexing is done with a mix of grep, awk and sed within parsers.py - it's brittle and like any ̴̭́H̶̤̓T̸̙̅M̶͇̾L̷͑ͅ ̴̙̏p̸̡͆a̷̛̦r̵̬̿s̴̙͛ĩ̴̺n̸̔͜g̸̘̈, has a limited lifetime.

groups.json contains hosts, nodes, relays and mirrors for a tracked group or actor

posts.json contains parsed posts, noted by their discovery time and accountable group

analysis tools

all rendered source HTML is stored within ransomwatch/tree/main/source - change tracking and revision history of these blogs is made possible with git

a script to generate high-resolution screenshots of all online hosts within groups.json

a beautifulsoup script to fetch emails, internal and external links from HTML within source/

cli operations

fetching sites requires a local tor circuit on tcp://9050 - establish one with;

docker run -p9050:9050 ghcr.io/joshhighet/gotham/torproxy:latest

group management

manage the groups within groups.json

add new location (group or additional mirror)

./ransomwatch.py add --name acmecorp --location abcdefg.onion

scraping

./ransomwatch.py scrape

parsing

iterate files within the source/ directory and contribute findings to posts.json

for a crude health-check across all parsers, use assets/parsers.sh

./ransomwatch.py parse

ransomwatch is licensed under unlicense.org