ransomwatch trails the extortion sites used by ransomware groups and surfaces an aggregated feed of claims
please use the issue template when making submissions for new groups
content within ransomwatch.telemetry.ltd
, posts.json
, groups.json
alongside the docs/
& source/
directories is dynamically generated based on hosting choices of real-world threat actors in near-real-time.
whilst sanitisation efforts have been taken, by viewing or accessing ransomwatch you acknowledge you are doing so at your own risk
if you leverage ransomwatch in commercial platforms, please consider becoming a sponsor 💞
web://
ransomwatch.telemetry.ltd
json://
ransomwhat.telemetry.ltd/posts
json://
ransomwhat.telemetry.ltd/groups
groups.json
contains hosts, nodes, relays and mirrors for a tracked group or actorposts.json
contains extracted posts, noted by their discovery time and accountable group
this is a live repository which leverages a combination of github actions and a service container to visit, parse & report on monitored hosts in near-realtime in a self-contained manor.
content fetching is done with psf/requests - if rendering is required mozilla/geckodriver and seleniumhq/selenium are leveraged.
the frontend is ultimatley markdown, generated with markdown.py and served with docsifyjs/docsify thanks to pages.github.com
graphs or visualisations are generated with plotting.py with the help of matplotlib/matplotlib
post indexing is done with a mix of grep
, awk
and sed
within parsers.py - it's brittle and like any ̴̭́H̶̤̓T̸̙̅M̶͇̾L̷͑ͅ ̴̙̏p̸̡͆a̷̛̦r̵̬̿s̴̙͛ĩ̴̺n̸̔͜g̸̘̈, has a limited lifetime.
rendered HTML for each page is viewable within the source directory
- screenshotter.py a playwright script to generate high-resolution screenshots of online hosts
- srcanalyser.py a basic extractor for emails, internal and external links found within page source
- browse-hosts.sh a simple cURL based iterator for sweeping URL checks
- sources.zsh an aggregator of various locations that surface new groups for ransomwatch
- uptimekuma-importer.py a script to convert the group data into a uptime-kuma configuration file
- parsers.sh a health-check script that provides details on parsers that are returning no fields
fetching hidden services requires a tor circuit! establish one with;
docker run -p9050:9050 ghcr.io/joshhighet/torsocc:latest
➜ ransomwatch git:(main) ✗ ./ransomwatch.py --help
_______________ |*\_/*|________
| ___________ | ||_/-\_|______ |
| | | | | | | |
| | 0 0 | | | | 0 0 | |
| | - | | | | - | |
| | \___/ | | | | \___/ | |
| |___ ___| | | |___________| |
|_____|\_/|_____| |_______________|
_|__|/ \|_|_.............💔.............._|________|_
/ ********** \ / ********** \
/ ************ \ ransomwhat? / ************ \
-------------------- --------------------
usage: ransomwatch.py [-h] [--name NAME] [--location LOCATION]
[--append APPEND]
{add,append,scrape,parse,list,markdown,check}
👀 🦅 ransomwatch
positional arguments:
{add,append,scrape,parse,list,markdown,check}
operation to execute
options:
-h, --help show this help message and exit
--name NAME provider name
--location LOCATION onionsite fqdn
--append APPEND add onionsite fqdn to existing record
newly indexed posts can be sent to discord by providing a DISCORD_WEBHOOK
var when running parse
.
DISCORD_WEBHOOK=https://discord.com/api/webhooks/xxxxx/xxx ./ransomwatch.py parse
erDiagram
groups_json ||--|{ group : contains
group {
string name "group name"
boolean captcha "captcha status"
boolean parser "parser status"
boolean javascript_render "javascript status"
string meta "freeform text"
string url "notable articles and references"
}
group ||--|{ locations : has
locations {
string fqdn "fully qualified domain name"
string title "page title"
int version "hidden service version"
string slug "full URI"
boolean available "availability status"
datetime updated "timestamp of last update"
datetime lastscrape "timestamp of last scrape"
boolean enabled "status"
}
group ||--|{ post : references
post {
string post_title "post title"
string group_name "associated group name"
datetime discovered "timestamp of discovery"
}
ransomwatch is licensed under unlicense.org