Add RansomLook expansion module (ransomware-group-post MISP objects)

[adulau]

Motivation

• Provide an expansion/hover module to query RansomLook's /api/search endpoint from MISP and convert matching leak-site posts into standard MISP objects.
• Allow searching from any attribute value (including free-text) so analysts can quickly enrich events with leak-site posts.

Description

• Add misp_modules/modules/expansion/ransomlook.py which implements a MISP expansion/hover module that queries https://www.ransomlook.io/api/search with the attribute value and api-key header.
• Introspect PyMISP attribute types via pymisp.data.describeTypes.json and include freetext in the module input types so arbitrary text attributes may be used.
• Map common RansomLook fields (e.g. group_name, post_title, discovered, post_url, country, sector, website, description) into the ransomware-group-post MISP object relations and attach object references back to the queried attribute when present.
• Add robust parsing/normalisation of API hits, basic HTTP/error handling, and return results in misp_standard format; module configuration uses api-key.
• Add unit tests in tests/test_ransomlook.py covering successful conversion, missing API key, and HTTP error handling.

Testing

• Ran pytest tests/test_ransomlook.py -q, which passed (3 passed).
• Ran python -m py_compile misp_modules/modules/expansion/ransomlook.py tests/test_ransomlook.py, which succeeded.
• Ran python -m black --check misp_modules/modules/expansion/ransomlook.py tests/test_ransomlook.py, which passed.
• Ran repository introspection check python -m pytest tests/test.py::TestModules::test_introspection_module_structure -q, which failed due to the misp_modules.modules.expansion package lacking a module __all__ attribute in this checkout (a pre-existing repository-level introspection issue, not a regression in the added module).

---

Codex Task