ransomwatch: ransomware leak site monitoring tool
RansomWatch
RansomWatch is a ransomware leak site monitoring tool. It will scrape all of the entries on various ransomware leak sites, store the data in an SQLite database, and send notifications via Slack or Discord when a new victim shows up, or when a victim is removed.
Leak Site Implementations
The following leak sites are supported:
- Conti
- Sodinokibi/REvil
- Pysa
- Avaddon
- DarkSide
- CL0P
- Nefilim
- Mount Locker
- Suncrypt
- Everest
- Ragnarok
- Ragnar_Locker
- BABUK LOCKER
- Pay2Key
- Cuba
- RansomEXX
- Pay2Key
- Ranzy Locker
- Astro Team
- BlackMatter
- Arvin
- El_Cometa
- Lorenz
- Lockbit
- AvosLocker
- LV
- Marketo
- Lockdata
Download
git clone https://github.com/captainGeech42/ransomwatch.git
Configuration
In config_vol/, please copy config.sample.yaml to config.yaml, and add the following:
- Leak site URLs. I decided not to make this list public in order to prevent them from gaining even more notoriety, so if you have them, add them in. If not, this tool isn’t for you.
- To get the Hive API onion, load their main site and press F12 to use the developer tools. Look for XHR requests, you should see a few to a hiveapi… onion domain.
- Notification destinations. RansomWatch currently supports notifying via. the following:
- Slack: Follow these instructions to add a new app to your Slack workspace and add the webhook URL to the config.
- Discord: Follow these instructions to add a new app to your Discord server and add the webhook URL to the config.
- Teams: Follow these instructions to add a new app to your Teams channel and add the webhook URL to the config.
Additionally, there are a few environment variables you may need to set:
- RW_DB_PATH: Path for the SQLite database to use
- RW_CONFIG_PATH: Path to the config.yaml file
These are both set in the provided docker-compose.yml.
Use
Copyright (c) 2021 Zander Work
