Ransomware.live is a website powered by a modified version of ransomwatch.
Ransomware.live is an Ransomware gang tracker, running within github actions, groups are visited & posts are indexed within this repository every hour
missing a group ? try the issue template
curl -sL https://raw.githubusercontent.com/jmousqueton/ransomware.live/main/posts.json | jq
curl -sL https://raw.githubusercontent.com/jmousqueton/ransomware.live/main/groups.json | jq
content within ransomware.live
, posts.json
, groups.json
and the docs/ & source/
directories is dynamically generated based on website of threat actors.
whilst sanitisation efforts have been taken, by viewing or accessing Ransomware.live generated material you acknowledge you are doing so at your own risk.
The torproxy from jmousqueton/ransomware.live/torproxy registry is introduced into the github actions workflow as a service container to allow onion routing within ransomwatch.yml
The frontend is ultimatley markdown, generated with markdown.py and served with docsifyjs/docsify thanks to pages.github.com
Any graphs or visualisations are generated with plotting.py with the help of matplotlib/matplotlib
Post indexing is done with a mix of BeautifulSoup and command line with grep
, awk
and sed
within parsers.py.
groups.json
contains hosts, nodes, relays and mirrors for a tracked group or actor
posts.json
contains parsed posts, noted by their discovery time and accountable group
Ransomware.live uses Ransomware Note from Zscaler ThreatLabz
Ransomware.live uses Ransomware group description from Malpedia
All rendered source HTML is stored within ransomwatch/tree/main/source - change tracking and revision history of these blogs is made possible with git
A script to generate high-resolution screenshots of all online hosts within groups.json
A beautifulsoup script to fetch emails, internal and external links from HTML within source/
fetching sites requires a local tor circuit on tcp://9050 - establish one with;
docker run -p9050:9050 ghcr.io/jmousqueton/ransomwatch/torproxy:latest
manage the groups within groups.json
python3 ransomwatch.py add --name acmecorp --location abcdefg.onion
python3 ransomwatch.py scrape
or to force scraping host with enabled: False
python3 ransomwatch.py scrape --force 1
Iterate files within the source/
directory and contribute findings to posts.json
for a crude health-check across all parsers, use
assets/parsers.sh
pyhton3 ransomwatch.py parse
Parse the ransomwhe.re API to get crypto wallet for Ransomware gang
pyhton3 addcrypto.py
python3 ransomwatch.py markdown
python3 generateRSS.py
Scan well knowd sites for new Ransomware Gang site
./asset/sources.zsh
Generate sitemap.xlm
./asset/sitemap.sh
Re-order groups.json
by group name
./asset/orderGroups.sh
ransomware.live is licensed under unlicense.org