{"id":13792811,"url":"https://github.com/joshhighet/ransomwatch","last_synced_at":"2025-05-12T14:32:21.066Z","repository":{"id":37250499,"uuid":"394216284","full_name":"joshhighet/ransomwatch","owner":"joshhighet","description":"the transparent ransomware claim tracker 🥷🏼🧅🖥️","archived":false,"fork":false,"pushed_at":"2025-05-08T04:35:18.000Z","size":4613369,"stargazers_count":1011,"open_issues_count":17,"forks_count":159,"subscribers_count":52,"default_branch":"main","last_synced_at":"2025-05-08T05:27:42.390Z","etag":null,"topics":["darkweb","ransomware"],"latest_commit_sha":null,"homepage":"https://ransomwatch.telemetry.ltd","language":"HTML","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"unlicense","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/joshhighet.png","metadata":{"files":{"readme":".github/README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":".github/SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null},"funding":{"github":["joshhighet"]}},"created_at":"2021-08-09T08:45:09.000Z","updated_at":"2025-05-08T04:35:23.000Z","dependencies_parsed_at":"2023-09-22T19:44:51.353Z","dependency_job_id":"536a43fd-b671-4240-943a-e872b7c0a017","html_url":"https://github.com/joshhighet/ransomwatch","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/joshhighet%2Fransomwatch","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/joshhighet%2Fransomwatch/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/joshhighet%2Fransomwatch/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/joshhighet%2Fransomwatch/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/joshhighet","download_url":"https://codeload.github.com/joshhighet/ransomwatch/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253755047,"owners_count":21958944,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["darkweb","ransomware"],"created_at":"2024-08-03T22:01:16.313Z","updated_at":"2025-05-12T14:32:16.003Z","avatar_url":"https://github.com/joshhighet.png","language":"HTML","funding_links":["https://github.com/sponsors/joshhighet"],"categories":["🔭 Observing Ransomware Groups and Attacks","others"],"sub_categories":["✨ Other"],"readme":"\u003c!--\nlooking for historical data? \ncheck ransomwatch-history - https://github.com/joshhighet/ransomwatch-history\n--\u003e\n\u003cdiv align=\"center\"\u003e\n\u003ch1\u003e\n \u003ca href=\"https://ransomwatch.telemetry.ltd\"\u003e\n ransomwatch 👀 🦅\n \u003c/a\u003e\n\u003c/h1\u003e\n\u003c/div\u003e\n\u003cp align=\"center\"\u003e\n \u003ca href=\"https://github.com/joshhighet/ransomwatch/actions/workflows/ransomwatch.yml\"\u003e\n \u003cimg src=\"https://github.com/joshhighet/ransomwatch/actions/workflows/ransomwatch.yml/badge.svg\" alt=\"ransomwatch engine\" /\u003e\n \u003c/a\u003e\n \u003ca href=\"https://github.com/joshhighet/ransomwatch/actions/workflows/codeql-analysis.yml\"\u003e\n \u003cimg src=\"https://github.com/joshhighet/ransomwatch/actions/workflows/codeql-analysis.yml/badge.svg\" alt=\"ransomwatch codeql analysis\" /\u003e\n \u003c/a\u003e\n\u003c/p\u003e\n\nransomwatch trails the extortion sites used by ransomware groups and surfaces an aggregated feed of claims\n\nplease use the [_issue template_](https://github.com/joshhighet/ransomwatch/issues/new?assignees=\u0026labels=✨+enhancement\u0026template=newgroup.yml\u0026title=new+group%3A+) when submitting new groups\n\n---\n\n\u003ch4 align=\"center\"\u003e⚠️\u003c/h4\u003e\n\n_content within `ransomwatch.telemetry.ltd`, `posts.json`, `groups.json` alongside the `docs/` \u0026 `source/` directories is dynamically generated based on hosting choices of real-world threat actors in near-real-time._\n\n_whilst sanitisation efforts have been taken, by viewing or accessing ransomwatch you acknowledge you are doing so at your own risk_\n\n##### if you leverage ransomwatch in commercial platforms, please consider becoming a [sponsor](https://github.com/sponsors/joshhighet) 💞\n\n---\n\n### key outputs\n\n`web://` [`ransomwatch.telemetry.ltd`](https://ransomwatch.telemetry.ltd)\n\n`json://` [`ransomwhat.telemetry.ltd/posts`](https://ransomwhat.telemetry.ltd/posts)\n\n`json://` [`ransomwhat.telemetry.ltd/groups`](https://ransomwhat.telemetry.ltd/groups)\n\n- _`groups.json` contains hosts, nodes, relays and mirrors for a tracked group or actor_\n- _`posts.json` contains extracted posts, noted by their discovery time and accountable group_\n\n\n## technicals\n\nthis is a live repository that utilizes a combination of GitHub actions and a [service container](https://docs.github.com/en/actions/using-containerized-services/about-service-containers). it visits, parses, and reports on monitored hosts in near-real-time in a self-contained manner\n\ncontent fetching is done with [psf/requests](https://github.com/psf/requests) - if rendering is required [mozilla/geckodriver](https://github.com/mozilla/geckodriver) and [seleniumhq/selenium](https://github.com/SeleniumHQ/selenium) are leveraged.\n\nThe frontend is ultimately generated with markdown, using [markdown.py](https://github.com/joshhighet/ransomwatch/blob/main/markdown.py) and served with [docsifyjs/docsify](https://github.com/docsifyjs/docsify) thanks to [pages.github.com](https://pages.github.com)\n\ngraphs or visualisations are generated with [plotting.py](https://github.com/joshhighet/ransomwatch/blob/main/plotting.py) with the help of [matplotlib/matplotlib](https://github.com/matplotlib/matplotlib)\n\npost indexing is done with a mix of `grep`, `awk` and `sed` within [parsers.py](https://github.com/joshhighet/ransomwatch/blob/main/parsers.py) - it's brittle and like any ̴̭́H̶̤̓T̸̙̅M̶͇̾L̷͑ͅ ̴̙̏p̸̡͆a̷̛̦r̵̬̿s̴̙͛ĩ̴̺n̸̔͜g̸̘̈, has a limited lifetime.\n\n## tools\n\nrendered HTML for each page is viewable within the [source](https://github.com/joshhighet/ransomwatch/tree/main/source) directory\n\n- [screenshotter.py](https://github.com/joshhighet/ransomwatch/blob/main/assets/screenshotter.py) _a playwright script to generate high-resolution screenshots of online hosts_\n- [srcanalyser.py](https://github.com/joshhighet/ransomwatch/blob/main/assets/srcanalyser.py) _a basic extractor for emails, internal and external links found within page source_\n- [browse-hosts.sh](https://github.com/joshhighet/ransomwatch/blob/main/assets/browse-hosts.sh) _a simple cURL based iterator for sweeping URL checks_\n- [sources.sh](https://github.com/joshhighet/ransomwatch/blob/main/assets/sources.sh) _an aggregator of various locations that surface new groups for ransomwatch_\n- [uptimekuma-importer.py](https://github.com/joshhighet/ransomwatch/blob/main/assets/uptimekuma-importer.py) _a script to convert the group data into a [uptime-kuma](https://github.com/louislam/uptime-kuma) configuration file_\n- [parsers.sh](https://github.com/joshhighet/ransomwatch/blob/main/assets/parsers.sh) _a health-check script that provides details on parsers that are returning no fields_\n\n_a flattened version of groups.json with each host as its own object can be found at [assets/groups-kv.json](https://github.com/joshhighet/ransomwatch/blob/main/assets/groups-kv.json). the structure is an array of objects, each representing a distinct entity/group with each containing all properties (like `name`, `captcha`, `parser`, etc.) at the same level, including potential repetition on elements such as `profile` and `meta`. some data analysis tools work with this structure in an easier manner requiring less transposing._\n\n## cli operations\n\n_fetching hidden services requires a tor circuit! establish one with;_\n\n```shell\ndocker run -p9050:9050 ghcr.io/joshhighet/torsocc:latest\n```\n\n```shell\nusage: ransomwatch.py [-h] [--name NAME] [--location LOCATION] {add,scrape,parse,markdown}\n\npositional arguments:\n {add,scrape,parse,markdown}\n operation to execute\n\noptional arguments:\n -h, --help show this help message and exit\n --name NAME provider name\n --location LOCATION target web location (full URI)\n\n _______________ |*\\_/*|________\n | ___________ | ||_/-\\_|______ |\n | | | | | | | |\n | | 0 0 | | | | 0 0 | |\n | | - | | | | - | |\n | | \\___/ | | | | \\___/ | |\n | |___ ___| | | |___________| |\n |_____|\\_/|_____| |_______________|\n _|__|/ \\|_|_.............💔.............._|________|_\n / ********** \\ / ********** \\\n / ************ \\ 👀 🦅 ransomwatch / ************ \\\n -------------------- --------------------\n```\n\nnewly indexed posts can be sent to discord by providing a `DISCORD_WEBHOOK` var when running `parse`.\n\n```shell\nDISCORD_WEBHOOK=https://discord.com/api/webhooks/xxxxx/xxx ./ransomwatch.py parse\n```\n\u003cimg width=\"381\" src=\"https://github.com/joshhighet/ransomwatch/assets/17993143/53226d1e-475b-4e80-8af5-727c153e6b4c\"\u003e\n\n## datamap\n\n```mermaid\nerDiagram\n groups_json ||--|{ group : contains\n group {\n string name \"group name\"\n boolean captcha \"captcha status\"\n boolean parser \"parser status\"\n boolean javascript_render \"javascript status\"\n string meta \"freeform text\"\n string url \"notable articles and references\"\n }\n group ||--|{ locations : has\n locations {\n string fqdn \"fully qualified domain name\"\n string title \"page title\"\n int version \"hidden service version\"\n string slug \"full URI\"\n boolean available \"availability status\"\n datetime updated \"timestamp of last update\"\n datetime lastscrape \"timestamp of last scrape\"\n boolean enabled \"status\"\n }\n group ||--|{ post : references\n post {\n string post_title \"post title\"\n string group_name \"associated group name\"\n datetime discovered \"timestamp of discovery\"\n }\n```\n\n## accessing data with cURL and JQ \n\n##### print last 10 claims by group `lockbit3`\n\n```shell\ncurl -sL ransomwhat.telemetry.ltd/posts \\\n| jq -r '.[] | select(.group_name == \"lockbit3\") | .post_title' \\\n| tail -n 10\n```\n\n##### print all online URL's\n\n```shell\ncurl -sL ransomwhat.telemetry.ltd/groups \\\n| jq -r '.[] | .locations[] | select(.available == true) | .slug'\n```\n\n##### print group data for \"lockbit3\"\n\n```shell\ncurl -sL ransomwhat.telemetry.ltd/groups \\\n| jq -r '.[] | select(.name == \"lockbit3\")'\n```\n\n##### print the last 20 claims\n\n```shell\ncurl -sL ransomwhat.telemetry.ltd/posts \\\n| jq -r '.[] | [.group_name, .post_title] | @tsv' \\\n| sed 's/ /_/g' | column -t | tail -n 20\n```\n\n---\n\n_ransomwatch is [licensed](https://github.com/joshhighet/ransomwatch/blob/main/LICENSE) under [unlicense.org](https://unlicense.org)_\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjoshhighet%2Fransomwatch","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjoshhighet%2Fransomwatch","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjoshhighet%2Fransomwatch/lists"}