/ransomFeed-details

Details for ransomfeed.it

Primary LanguagePythonThe UnlicenseUnlicense

ransomware.live

ransomwatch codeql-analysis analysis ransomwatch engine ransomwatch dockerimage builder ransomwatch codeql analysis

Ransomware.live is a website powered by a modified version of ransomwatch.

Ransomware.live is an Ransomware gang tracker, running within github actions, groups are visited & posts are indexed within this repository every hour

missing a group ? try the issue template

curl -sL https://raw.githubusercontent.com/jmousqueton/ransomware.live/main/posts.json | jq
curl -sL https://raw.githubusercontent.com/jmousqueton/ransomware.live/main/groups.json | jq

⚠️

content within ransomware.live, posts.json, groups.json and the docs/ & source/ directories is dynamically generated based on website of threat actors.

whilst sanitisation efforts have been taken, by viewing or accessing Ransomware.live generated material you acknowledge you are doing so at your own risk.

Technicals

The torproxy from jmousqueton/ransomware.live/torproxy registry is introduced into the github actions workflow as a service container to allow onion routing within ransomwatch.yml

The frontend is ultimatley markdown, generated with markdown.py and served with docsifyjs/docsify thanks to pages.github.com

Any graphs or visualisations are generated with plotting.py with the help of matplotlib/matplotlib

Post indexing is done with a mix of BeautifulSoup and command line with grep, awk and sed within parsers.py.

groups.json contains hosts, nodes, relays and mirrors for a tracked group or actor

posts.json contains parsed posts, noted by their discovery time and accountable group

Ransomware.live uses Ransomware Note from Zscaler ThreatLabz

Ransomware.live uses Ransomware group description from Malpedia

Analysis tools

All rendered source HTML is stored within ransomwatch/tree/main/source - change tracking and revision history of these blogs is made possible with git

screenshotter.py

A script to generate high-resolution screenshots of all online hosts within groups.json

srcanalyser.py

A beautifulsoup script to fetch emails, internal and external links from HTML within source/

Cli operations

fetching sites requires a local tor circuit on tcp://9050 - establish one with;

docker run -p9050:9050 ghcr.io/jmousqueton/ransomwatch/torproxy:latest

Group management

manage the groups within groups.json

Add new location (group or additional mirror)

python3 ransomwatch.py add --name acmecorp --location abcdefg.onion

Scraping

python3 ransomwatch.py scrape

or to force scraping host with enabled: False

python3 ransomwatch.py scrape --force 1

Parsing

Iterate files within the source/ directory and contribute findings to posts.json

for a crude health-check across all parsers, use assets/parsers.sh

pyhton3 ransomwatch.py parse

Get crypto wallets

Parse the ransomwhe.re API to get crypto wallet for Ransomware gang

pyhton3 addcrypto.py

Generating page

python3 ransomwatch.py markdown

Generating RSS Feed based on posts.json

python3 generateRSS.py

Misc

source.zsh

Scan well knowd sites for new Ransomware Gang site

./asset/sources.zsh

sitemap.sh

Generate sitemap.xlm

./asset/sitemap.sh

OrderGroups.sh

Re-order groups.json by group name

./asset/orderGroups.sh

ransomware.live is licensed under unlicense.org