Skip to content

muchdogesec/ransomware2stix

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

20 Commits
docs
docs
 
 
ransomware2stix
ransomware2stix
 
 
.env.example
.env.example
 
 
.env.markdown
.env.markdown
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
pyproject.toml
pyproject.toml
 
 
requirements.txt
requirements.txt
 
 

Repository files navigation

ransomware2stix

Overview

ransomware2stix turns ransomware intelligence on ransomware.live into STIX 2.1 objects (consider supporting the project).

We build this because our tooling is stuctured in STIX 2.1 and we wanted to add ransomware.live data for additional context on our research.

ransomware2stix supports:

  • MITRE ATT&CK tagging of ransomware groups
  • Tracking of crypto wallets linked to groups
  • Linking tools to groups (including support for the Ransomware Tool Matrix)
  • Identification of ransomware victims with group attribution

Install

# clone the latest code
git clone https://github.com/muchdogesec/ransomware2stix
# create a venv
cd ransomware2stix
python3 -m venv ransomware2stix-venv
source ransomware2stix-venv/bin/activate
# install requirements
pip3 install -r requirements.txt

Environment Setup

You will need a ransomware.live API key. Sign up here to get one.

Create a .env file in the root directory:

RANSOMWARE_LIVE_API_KEY=YOUR_API_KEY_HERE

Run

python3 -m ransomware2stix \
	--min_discovered YYYY-MM-DD \
	--max_discovered YYYY-MM-DD \
	--groups GROUP_NAME [GROUP_NAME ...]

Where:

  • --min_discovered (optional, YYYY-MM-DD): Filter results to only include victims discovered after this date. Filters based on both attack date and discovery date. Default includes all historical data.
  • --max_discovered (optional, YYYY-MM-DD): Filter results to only include victims discovered before this date (inclusive, set to 23:59:59.999999 of the specified day). Default includes all future data.
  • --groups (optional): Filter output to only include specific ransomware group(s). Accepts one or more group names (space-separated). Group names are case-insensitive. Default processes all groups.

The script outputs JSON bundles to the outputs/ directory:

├── outputs
│   └── bundles
│       ├── <GROUP_NAME_1>.json
│       ├── <GROUP_NAME_2>.json
│       └── ...
├── logs
│   └── ransomware2stix-YYYY-MM-DDTHH-MM-SS.txt

Examples

Get data for all groups with victims discovered in January 2025:

python3 -m ransomware2stix \
	--min_discovered 2025-01-01 \
	--max_discovered 2025-01-31

Get all data for the clop group:

python3 -m ransomware2stix \
	--groups clop

Get data for multiple specific groups:

python3 -m ransomware2stix \
	--groups clop akira lockbit3

Note, to get all available group names you can query the ransomware.live API:

curl -X 'GET' \
  'https://api-pro.ransomware.live/groups' \
  -H 'X-API-KEY: YOUR_API_KEY'

The group value in the response can be used with the --groups argument.

How it Works

For a detailed explanation of how ransomware2stix collects data from the ransomware.live API and converts it to STIX 2.1 objects, see docs/README.md.

The documentation covers:

  • Data collection workflow and API endpoint optimization
  • STIX object generation for groups, victims, tools, TTPs, and IOCs
  • Relationship mapping between objects
  • UUIDv5 generation logic for deterministic IDs

Useful supporting tools

Other ransomware tools we love

License

Apache 2.0.

About

STIX 2.1 bundles of ransomware group intelligence

www.dogesec.com

Topics

malware ransomware ransom

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

1 star

Watchers

2 watching

Forks

0 forks
Report repository

Contributors

Languages