{"id":24128064,"url":"https://github.com/muchdogesec/ransomwarekb","last_synced_at":"2025-08-31T17:34:24.062Z","repository":{"id":254288319,"uuid":"843323934","full_name":"muchdogesec/ransomwarekb","owner":"muchdogesec","description":"A common knowledge base of ransomware.","archived":false,"fork":false,"pushed_at":"2024-08-22T13:48:54.000Z","size":575,"stargazers_count":6,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-01-11T18:33:32.988Z","etag":null,"topics":["ransomware","threat-intelligence"],"latest_commit_sha":null,"homepage":"https://www.dogesec.com/","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/muchdogesec.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-08-16T09:07:42.000Z","updated_at":"2024-12-17T17:25:35.000Z","dependencies_parsed_at":"2024-08-22T15:28:14.680Z","dependency_job_id":null,"html_url":"https://github.com/muchdogesec/ransomwarekb","commit_stats":null,"previous_names":["muchdogesec/ransomware_kb","muchdogesec/ransomwarekb"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/muchdogesec%2Fransomwarekb","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/muchdogesec%2Fransomwarekb/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/muchdogesec%2Fransomwarekb/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/muchdogesec%2Fransomwarekb/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/muchdogesec","download_url":"https://codeload.github.com/muchdogesec/ransomwarekb/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":241312456,"owners_count":19942373,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ransomware","threat-intelligence"],"created_at":"2025-01-11T18:26:24.958Z","updated_at":"2025-03-01T03:25:33.401Z","avatar_url":"https://github.com/muchdogesec.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Ransomware KB\n\n## Overview\n\n![](docs/ransomware_kb.png)\n\nRansomware KB aims to be a centralised knowledgebase, in STIX 2.1 format, that provides a standard for ransomware specific information.\n\nIt was born from our frustration of various intelligence producers each naming the same ransomware ever-so-slightly differently.\n\nThis project is heavily inspired by MITRE ATT\u0026CK, aiming to fill the gap in MITRE ATT\u0026CK for ransomware specific content. Where relevant, Ransomware KB also links back the MITRE ATT\u0026CK framework with the ultimate goal to commit the data gathered here into MITRE ATT\u0026CK.\n\nThe data is managed in the spreadsheet found in this repository here; `data/ransomware_kb_master.xlsx`, with each tab reperesenting a different concept (e.g. `Intrustion Set - Threat Actors`).\n\n## Structure of the data\n\nAt present the following concepts are supported;\n\n1. Groups (STIX `intrusion-set` objects, ID in format `GXXXX`): that describe ransomware operators and groups.\n2. Ransomware (STIX `malware` objects, ID in format `RXXXX`): that describe the ransomware itself.\n3. Tools (STIX `tool` objects, ID in format `TXXXX`): that describe the Tools used by ransomware operators and groups.\n4. Victims (TODO): infected by the ransomware\n5. Malware (TODO): that describes other malware variants (not ransomware) used by groups during a campaign\n6. Linking obejcts to MITRE ATT\u0026CK Tactics and Techniques (TODO)\n\n## Data generation\n\nThe script uses the stix2 python library to generate the objects.\n\nA local copy of the objects generated is stored in `stix2_objects`.\n\n### Groups (`intrusion-set`)\n\nThese objects are generated from the tab; `Intrustion Set - Groups`;\n\n```json\n{\n\t\"type\": \"intrusion-set\",\n\t\"spec_version\": \"2.1\",\n\t\"id\": \"intrusion-set--\u003cUUIDV5\u003e\",\n\t\"created\": \"\u003cFIRST RUN TIME OF SCRIPT\u003e\",\n\t\"modified\": \"\u003cSCRIPT RUN TIME IF OBJECT CHANGED\u003e\",\n\t\"created_by_ref\": \"identity--221c1248-e62e-56e5-bbfb-7d5efc477271\",\n\t\"name\": \"\u003cname\u003e\",\n\t\"description\": \"\u003cdescription\u003e\",\n\t\"aliases\": [\n        \"\u003caliases (each new line represents alias\u003e\"\n    ],\n    \"external_references\": [\n        {\n           \t\"source_name\": \"ranomware-kb\",\n            \"external_id\": \"\u003cexternal_id\u003e\"\n        },\n        {\n        \t\"source_name\": \"mitre-attack\",\n            \"external_id\": \"\u003cmitre_attack_id\u003e\"\n        }\n        {\n            \"source_name\": \"\u003cref.x\u003e\",\n        \t\"description\": \"\u003cvalue\u003e\"\n        }\n    ],\n    \"object_marking_refs\": [\n        \"marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271\",\n        \"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487\"\n    ]\n}\n```\n\nThe uuidv5 is generated using the namespace `221c1248-e62e-56e5-bbfb-7d5efc477271` and `name` property.\n\n### Ransomware (`malware`)\n\nThese objects are generated from the tab; `Malware - Ransomware`;\n\n```json\n{\n\t\"type\": \"malware\",\n\t\"spec_version\": \"2.1\",\n    \"id\": \"malware--\u003cUUIDV5\u003e\",\n\t\"created\": \"\u003cFIRST RUN TIME OF SCRIPT\u003e\",\n\t\"modified\": \"\u003cSCRIPT RUN TIME IF OBJECT CHANGED\u003e\",\n\t\"created_by_ref\": \"identity--221c1248-e62e-56e5-bbfb-7d5efc477271\",\n\t\"name\": \"\u003cname\u003e\",\n\t\"description\": \"\u003cdescription\u003e\",\n\t\"aliases\": [\n        \"\u003caliases (each new line represents alias\u003e\"\n    ],\n    \"x_mitre_platforms\": [\n    \t\"\u003cwindows,linux,macos,android\u003e\"\n    ],\n    \"external_references\": [\n        {\n           \t\"source_name\": \"ranomware-kb\",\n            \"external_id\": \"\u003cexternal_id\u003e\"\n        },\n        {\n        \t\"source_name\": \"mitre-attack\",\n            \"external_id\": \"\u003cmitre_attack_id\u003e\"\n        }\n        {\n            \"source_name\": \"\u003cref.x\u003e\",\n        \t\"description\": \"\u003cvalue\u003e\"\n        }\n    ],\n    \"object_marking_refs\": [\n        \"marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271\",\n        \"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487\"\n    ]\n}\n```\n\nThe uuidv5 is generated using the namespace `221c1248-e62e-56e5-bbfb-7d5efc477271` and `name` property.\n\n#### Groups (`intrusion-set`) -\u003e Ransomware (`malware`)\n\nThe `Intrustion Set - Threat Actors` table has the column `ransomware_used` which contains a key, the `external_id` of the Malware (found in tab `Malware - Ransomware`) to link the two objects. A relationship object is generated to represent this link.\n\n```json\n{\n\t\"type\": \"relationship\",\n\t\"spec_version\": \"2.1\",\n\t\"id\": \"relationship--\u003cUUIDV5\u003e\",\n\t\"created\": \"\u003cCREATED TIME OF MALWARE OBJECT\u003e\",\n\t\"modified\": \"\u003cMODIFIED TIME OF MALWARE OBJECT\u003e\",\n\t\"created_by_ref\": \"identity--221c1248-e62e-56e5-bbfb-7d5efc477271\",\n\t\"relationship_type\": \"uses\",\n\t\"source_ref\": \"intrusion-set--\u003cID\u003e\",\n\t\"target_ref\": \"malware--\u003cID\u003e\",\n\t\"description\": \"The group \u003cgroup.name\u003e uses \u003cmalware.name\u003e\",\n    \"object_marking_refs\": [\n        \"marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271\",\n        \"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487\"\n    ]\n}\n```\n\nThe uuidv5 is generated using the namespace `221c1248-e62e-56e5-bbfb-7d5efc477271` and `\u003crelationship_type\u003e+\u003csource_ref\u003e+\u003ctarget_ref\u003e` property.\n\n#### Tools (`tool`)\n\n```json\n{\n\t\"type\": \"tool\",\n\t\"spec_version\": \"2.1\",\n    \"id\": \"tool--\u003cUUIDV5\u003e\",\n\t\"created\": \"\u003cFIRST RUN TIME OF SCRIPT\u003e\",\n\t\"modified\": \"\u003cSCRIPT RUN TIME IF OBJECT CHANGED\u003e\",\n\t\"created_by_ref\": \"identity--221c1248-e62e-56e5-bbfb-7d5efc477271\",\n\t\"name\": \"\u003cname\u003e\",\n\t\"description\": \"\u003cdescription\u003e\",\n\t\"aliases\": [\n        \"\u003caliases (each new line represents alias\u003e\"\n    ],\n    \"x_mitre_platforms\": [\n    \t\"\u003cwindows,linux,macos,android\u003e\"\n    ],\n    \"external_references\": [\n        {\n           \t\"source_name\": \"ranomware-kb\",\n            \"external_id\": \"\u003cexternal_id\u003e\"\n        },\n        {\n        \t\"source_name\": \"mitre-attack\",\n            \"external_id\": \"\u003cmitre_attack_id\u003e\"\n        }\n        {\n            \"source_name\": \"\u003cref.x\u003e\",\n        \t\"description\": \"\u003cvalue\u003e\"\n        }\n    ],\n    \"object_marking_refs\": [\n        \"marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271\",\n        \"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487\"\n    ]\n}\n```\n\nThe uuidv5 is generated using the namespace `221c1248-e62e-56e5-bbfb-7d5efc477271` and `name` property.\n\n`x_mitre_platforms` is determined from columns prefixed with `platform.`. e.g if row has `platform.windows` = `true`, then `x_mitre_platforms` will be populated with `windows`.\n\n`external_references.source_name` cover all properties starting with `ref.`. e.g if column has a value for `ref.cisa` a record will be created as follows;\n\n```json\n        {\n            \"source_name\": \"cisa\",\n        \t\"description\": \"https://www.cisa.gov/news-evenT/cybersecurity-advisories/aa24-131a\"\n        }\n```\n\n#### Groups (`intrusion-set`) -\u003e Tools (`tool`)\n\nThe `Intrustion Set - Threat Actors` table has the column `tools_used` which contains a key, the `external_id` of the Tool (found in tab `Software - Tools`) to link the two objects. A relationship object is generated to represent this link.\n\n```json\n{\n\t\"type\": \"relationship\",\n\t\"spec_version\": \"2.1\",\n\t\"id\": \"relationship--\u003cUUIDV5\u003e\",\n\t\"created\": \"\u003cCREATED TIME OF MALWARE OBJECT\u003e\",\n\t\"modified\": \"\u003cMODIFIED TIME OF MALWARE OBJECT\u003e\",\n\t\"created_by_ref\": \"identity--221c1248-e62e-56e5-bbfb-7d5efc477271\",\n\t\"relationship_type\": \"uses\",\n\t\"source_ref\": \"intrusion-set--\u003cID\u003e\",\n\t\"target_ref\": \"tool--\u003cID\u003e\",\n\t\"description\": \"The group \u003cgroup.name\u003e uses \u003ctool.name\u003e\",\n    \"object_marking_refs\": [\n        \"marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271\",\n        \"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487\"\n    ]\n}\n```\n\nThe uuidv5 is generated using the namespace `221c1248-e62e-56e5-bbfb-7d5efc477271` and `\u003crelationship_type\u003e+\u003csource_ref\u003e+\u003ctarget_ref\u003e` property.\n\n### Bundle (`bundle`)\n\nAll objects generated each run are stored in a STIX Bundle called `ransomware-kb.json`, as follows;\n\n```json\n{\n    \"type\": \"bundle\",\n    \"id\": \"bundle--\u003cUUIDV5\u003e\",\n    \"objects\": [\n        \"ALL STIX OBJECTS CREATED\"\n    ]\n}\n```\n\nThe UUID is generated using the namespace `221c1248-e62e-56e5-bbfb-7d5efc477271` and the md5 hash of all objects sorted in the bundle.\n\n## Contributing\n\nI welcome all contributions, enhancements, etc. to this work. In fact, without the community, this project will almost certainly die.\n\nTo contribute, you can download this code locally\n\n```shell\n# clone the latest code\ngit clone https://github.com/muchdogesec/ransomware_kb\n# create a venv\ncd ransomware_kb\npython3 -m venv ransomware_kb-venv\nsource ransomware_kb-venv/bin/activate\n# install requirements\npip3 install -r requirements.txt\n````\n\nAnd then update the spreadsheet `data/ransomware_kb_master.xlsx`.\n\nWhen you're done, you can then run the script.\n\n```shell\npython3 generate-objects.py\n```\n\nYou'll find the objects created printed in the `stix2_objects` directory.\n\nIf you're ready to contribute, you can submit a pull request to this repository on Github.\n\n## License\n\n[Apache 2.0](/LICENSE).","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmuchdogesec%2Fransomwarekb","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmuchdogesec%2Fransomwarekb","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmuchdogesec%2Fransomwarekb/lists"}