joshhighet / ransomwatch Goto Github PK
View Code? Open in Web Editor NEWthe transparent ransomware claim tracker π₯·πΌπ§ π₯οΈ
Home Page: https://ransomwatch.telemetry.ltd
License: The Unlicense
the transparent ransomware claim tracker π₯·πΌπ§ π₯οΈ
Home Page: https://ransomwatch.telemetry.ltd
License: The Unlicense
https://akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad.onion/l
akira
No response
v3 (onion)
// awaiting first claim
gg5ryfgogainisskdvh4y373ap3b2mxafcibeh2lvq5x7fx76ygcosad.onion
nightsky
v3 (onion)
grep 'class="mdui-card-primary-title"' nightsky.html | cut -d '>' -f 3 | cut -d '<' -f 1
http://l5cjga2ksw6rxumu5l4xxn3cmahhi2irkbwg3amx6ajroyfmfgpfllid.onion
Atomsilo
site update
v3 (onion)
No response
hxxp://blogxxu75w63ujqarv476otld7cyjkq4yoswzt4ijadkjwvg3vrvd5yd[.]onion/Blog
REvil
Old REvil link now redirects to this one. Has posted new victims in past 24 hours
v3 (onion)
I believe this is the same site as when it was taken down
The parser for Bailan group doesn't work well with - (comma) or ' (single quote). Check the recent posts :
2022-09-03 | s
2022-08-30 | LLC
2022-08-30 | group
I suggest to replace the parse line with
sed -n '/<a href="\/companies\//,/<\/a>/p' source/bianlian-*.html | egrep -o "([A-Za-z0-9 ,\'.-])+</a>" | cut -d '<' -f 1 | sed -e '/Contacts/d'
Bl00dy
Bl00dy
Bl00dy
v3 (onion)
No response
Adrastea
Adrastea
No response
v3 (onion)
No response
http://medusaxko7jxtrojdkxo66j7ck4q5tgktf7uqsqyfry4ebnxlcbkccyd.onion/
Medusa
No response
v3 (onion)
grep "<h3 class=\"card-title\"" source/medusa-* | cut -d ">" -f2 | cut -d '<' -f1
http://powerj7kmpzkdhjg4szvcxxgktgk36ezpjxvtosylrpey7svpmrjyuyd.onion
Dark Power
No response
v3 (onion)
grep '<h2 class="title-font text-2xl font-medium text-white mt-6 mb-3">' source/darkpower-* | cut -d '>' -f2 | cut -d '<' -f1
http://nevcorps5cvivjf6i2gm4uia7cxng5ploqny2rgrinctazjlnqr2yiyd.onion/
Nevada
No response
v3 (onion)
No response
crosslock5cwfljbw4v37zuzq4talxxhyavjm2lufmjwgbpfjdsh56yd.onion
CrossLock
https://twitter.com/AlvieriD/status/1647926070098771969
https://twitter.com/siri_urz/status/1647892158739873793
https://twitter.com/AuCyble/status/1647895477063684103
v3 (onion)
grep '<div class="post-date">' source/crosslock-*.html --no-filename | grep -o 'a href.*' | cut -d'>' -f2 | sed 's/<\/a//'
maybe, just maybe - related to SeleniumHQ/selenium#10840
something updated <?> - all fetches leveraging geckodriver for rendering broken
eg. fail within runner ransomwatch/runs/7330084972 step:5:1182 (local/runner agnostic)
β ransomwatch git:(main) β python3 -c 'import selenium; print(selenium.__version__)'
4.0.0
β ransomwatch git:(main) β geckodriver --version
geckodriver 0.31.0
β ransomwatch git:(main) β /Applications/Firefox.app/Contents/MacOS/firefox-bin --full-version
Mozilla Firefox 102.0.1 20220705093820 20220705093820
{
"value":{
"error":"session not created",
"message":"Error: NS_BINDING_ABORTED",
"stacktrace":"#checkLoadingState@chrome://remote/content/shared/Navigate.jsm:209:28\nonStateChange@chrome://remote/content/shared/Navigate.jsm:254:28\n"
}
}
add
options.log.level = "trace"
togeckodriver.py
to repro trace below againsthttps://3f7nxkjway3d223j27lyad7v5cgmyaifesycvmwq7i7cbs23lb6llryd.onion/auction
β ransomwatch git:(main) β tail -f geckodriver.log
1657752931184 geckodriver::marionette DEBUG Connection to Marionette established on 127.0.0.1:62149.
1657752931213 Marionette DEBUG 0 -> [0,1,"WebDriver:NewSession",{"acceptInsecureCerts":true,"browserName":"firefox","pageLoadStrategy":"normal"}]
1657752931215 RemoteAgent WARN TLS certificate errors will be ignored for this session
1657752931226 Marionette DEBUG Waiting for initial application window
1657752931844 RemoteAgent TRACE Received DOM event load for [object HTMLDocument]
console.warn: SearchSettings: "get: No settings file exists, new profile?" (new NotFoundError("Could not open the file at [redacted]", (void 0)))
1657752932878 Marionette TRACE Received observer notification browser-idle-startup-tasks-finished
1657752932879 RemoteAgent TRACE Received observer notification browser-idle-startup-tasks-finished
DevTools listening on ws://localhost:62142/devtools/browser/[redacted]
1657752932882 RemoteAgent TRACE [22] ProgressListener state=start: http://start-maximized/
1657752947612 RemoteAgent TRACE [22] ProgressListener state=stop: error=0x804b0002 (NS_BINDING_ABORTED)
1657752947613 Marionette DEBUG 0 <- [1,1,{"error":"session not created","message":"Error: NS_BINDING_ABORTED","stacktrace":"#checkLoadingState@chrome://remote/content/shared/Navigate.jsm:209:28\nonStateChange@chrome://remote/content/shared/Navigate.jsm:254:28\n"},null]
1657752947615 webdriver::server DEBUG Teardown session
1657752947615 mozrunner::runner DEBUG Killing process 86034
Exiting due to channel error.
Exiting due to channel error.
[GFX1-]: Receive IPC close with reason=AbnormalShutdown
Exiting due to channel error.
1657752947694 webdriver::server DEBUG <- 500 Internal Server Error {"value":{"error":"session not created","message":"Error: NS_BINDING_ABORTED","stacktrace":"#checkLoadingState@chrome://remote/content/shared/Navigate.jsm:209:28\nonStateChange@chrome://remote/content/shared/Navigate.jsm:254:28\n"}}
π
Sangkancil
Sangkancil
Sangkancil
v3 (onion)
No response
Stormous appears to use the following URL for publishing their leaks.
http://h3reihqb2y7woqdary2g3bmk3apgtxuyhx4j2ftovbhe3l5svev7bdyd.onion
Site appears to be down right now, but it had 10+ new victims on 26 and 27 March.
Crimson Walrus
Crimson Walrus
Crimson Walrus
v3 (onion)
No response
Historic data under cuba ransomware is being listed again on 2022-11-04
The BlackBasta blog site (http://stniiomyjliimcgkvdszvgen3eaaoz55hreqqx6o77yvmpwt7gklffqd[.]onion/) is still up, but ransomwatch isn't pulling in any of the new results. I'm guessing the parser is looking in the wrong place or something.
Could have been a change on BB's side, as clicking the name of a victim on their Tor site fails to resolve, but the names and some important info is still available from the main blog page that should be parseable.
fl3xpz5bmgzxy4fmebhgsbycgnz24uosp3u4g33oiln627qq3gyw37ad.onion
blackbyte
v3 (onion)
No response
2cuqgeerjdba2rhdiviezodpu3lc4qz2sjf4qin6f7std2evleqlzjid.onion
alphav
No response
v3 (onion)
No response
Horsemagyar
Horsemagyar
Horsemagyar
v3 (onion)
No response
6yofnrq7evqrtz3tzi3dkbrdovtywd35lx3iqbc5dyh367nrdh4jgfyd.onion
nokoyawa
https://www.trendmicro.com/en_us/research/22/c/nokoyawa-ransomware-possibly-related-to-hive-.html
v3 (onion)
awk '/<h1/{getline; print}' source/nokoyawa-*.html | sed -e 's/^ *//g' -e 's/[[:space:]]*$//'
http://gcbejm2rcjftouqbxuhimj5oroouqcuxb2my4raxqa7efkz5bd5464id.onion/
Free Civilian
No response
v3 (onion)
grep "class=\"a_href\">" source/freeci* | sed 's/<[^>]*>//g; s/^[ \t]*//; s/[ \t]*$//; s/+ //;'
alphvmmm27o3abo3r2mlmjrpdmzle3rykajqc5xsj7j7ejksbpsa36ad.onion
alphV, alreay exist in your base
New parser 'cause they use (, ), | in the Topic... Perhaps should work on a more generic regex.
v3 (onion)
egrep -o 'class="mat-h2">([[:alnum:]]|\ |\.|\||\(|\))+</h2' source/alphav-*.html | cut -d '>' -f 2 | cut -d '<' -f 1
when using alnum content can easily be missed. when using [0-9A-Za-z]
, the following would pass Advanced Micro Devices
but with the added comma the following would fail to be picked up Advanced Micro Devices, Inc
ref grep/manual/bracketexpressions
./assets/parsers.sh -p | grep egrep
egrep -o 'class="title">([[:alnum:]]| |\.)+</a>' source/groove-*.html | cut -d '>' -f2 | cut -d '<' -f 1
egrep -o '<span style="font-size:20px;">([[:alnum:]]| |\.)+</span>' source/kelvinsecurity-*.html | cut -d '>' -f 2 | cut -d '<' -f 1
egrep -o 'fqd.onion/\?id=([[:alnum:]]| |\.)+"' source/blackbasta-*.html | cut -d = -f 2 | cut -d '"' -f 1 | sed -e 's/^ *//g' -e 's/[[:space:]]*$//'
egrep -o 'class="cls_recordTop"><p>([[:alnum:]]| |\.)+</p>' source/ransomhouse-*.html | cut -d '>' -f 3 | cut -d '<' -f 1
http://mbrlkbtq5jonaqkurjwmxftytyn2ethqvbxfu4rgjbkkknndqwae6byd.onion
Play
On Jun 22, 2022, in the BleepingComputer forum, someone wrote that his files were encrypted with the extension βPlay.β Afterward, Trend Micro published an analysis article about the new ransomware variant, Play Ransomware.
Even though they seem like a new ransomware group, their identified TTPs look like Hive and Nokayawa ransomware families. One of the similar behaviors that make them look similar are they use AdFind, a command-line query tool capable of collecting information from Active Directory.
v3 (onion)
grep -oP '(?<=\\"\\").*?(?=div)' source/play-*.html | tr -d '<>' | tr -d \\' | grep -v \?\?
snatch.press
snatch
No response
clearnet
No response
Clop parser is monitoring all the new posts about part1/2/3... however it's not really monitoring when a new ransomware attack occurred. I think it makes more sense to get the list of companies from the top of the page and not the posts about parts being published.
Per example, last entry with the current parser was added 2023-03-16, but according to my other monitors, this attack was already listed two days ago, on 2023-03-14.
This issue is open to discussion, but having the new attacks monitored instead the files being published tend to make more sense (on all the other groups it's not monitoring the new files added, only the new victims added).
Regex for the parser:
grep 'g-menu-item-title' source/clop-*.html --no-filename | sed -e s/'<span class="g-menu-item-title">'// -e s/"<\/span>"// -e 's/^ *//g' -e 's/[[:space:]]*$//' -e 's/^ARCHIVE[[:digit:]]$//' -e s/'^HOW TO DOWNLOAD?$'// -e 's/^ARCHIVE$//' -e 's/^HOME$//' -e '/^$/d'
There was already a similar issue #18 and this parser above would solve the /stats too.
hxxp://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion
lockbit3 / LockBit 3.0
Mirror 1: hxxp://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion
Mirror 2: hxxp://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
Mirror 3: hxxp://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion
Mirror 4: hxxp://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion
Mirror 5: hxxp://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
Mirror 6: hxxp://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion
Mirror 7: hxxp://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion
Mirror 8: hxxp://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion
Mirror 9: hxxp://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion
(Remove hxxp with http, proceed with caution)
Note: has 3 seconds Anti-DDoS as does version 2.0
vic domain names are in div with class "post-title"
v3 (onion)
No response
mblogci3rudehaagbryjznltdp33ojwzkq6hn2pckvjq33rycmzczpid.onion
monti
No response
v3 (onion)
No response
The vicesociety site appears to be correct in Ransomwatch, but it failed to pull the latest entry (Los Angeles USD) from their leak site.
vsociethok6sbprvevl4dlwbqrzyhxcxaqpvcqt5belwvsuxaxsutyad.onion
I'm not sure whether this is a parsing error, just wanted to point it out to try and help find a resolution.
The last posts on Bianlian ransomware blog use * in the company name
I suggest to use this parser to avoid blank
sed -n '/<a href="\/companies\//,/<\/a>/p' source/bianlian-*.html | sed 's/&/and/' | egrep -o "([A-Za-z0-9 ,*\'.-])+</a>" | cut -d '<' -f 1 | sed -e '/Contacts/d'
I also replace & by 'and' to get a better rendering.
http://h3reihqb2y7woqdary2g3bmk3apgtxuyhx4j2ftovbhe3l5svev7bdyd.onion/stm.html
Stormous.X
MESSAGE:
Did you get infected with STORMOUS ransomware? Are your company's server files encrypted? Is your computer encrypted? Are all your computer files encrypted? Read the decryption rules and all your files will be restored within an hour (Stormous.X can infect an entire network in less than an hour)
SHOP:
http://h3reihqb2y7woqdary2g3bmk3apgtxuyhx4j2ftovbhe3l5svev7bdyd.onion/shop.html
v3 (onion)
No response
Crypt0n
Crypt0n
Crypt0n
v3 (onion)
No response
current date 24/3/23 but site shows
πͺ there have been 794 posts within the last 90 days
π there have been 744 posts within the year of 2023
impossible!
The blackbytes ransomware group has changed (again) their webpage.
The vicitims'names could be found in class=target-name h1 tag.
Here is a parser which seems to work fine (for now) :
grep --no-filename 'class="target-name"' source/blackbyte-*.html | cut -d '>' -f 2 | cut -d '<' -f 1 | sed -e 's/^ *//g' -e '/^$/d' -e 's/[[:space:]]*$//'
While conducting some data validation, I observed that the entry for ttdwest on the blackbasta leak site (hxxps://stniiomyjliimcgkvdszvgen3eaaoz55hreqqx6o77yvmpwt7gklffqd[.]onion/) does not show up in the ransomwatch post data. Other sources indicate this by its name from the post's description, Total Transportation & Distribution, Inc.
Blackbasta's a tough site to review, since it shows a good amount of info about the victim (site, address, description, etc), but does not include the date of the victimization.
Mostly posting this to see whether there's something I'm missing in reviewing the results.
to be done
http://blogvl7tjyjvsfthobttze52w36wwiz34hrfcmorgvdzb6hikucb7aqd.onion
moneymessage
/news.php?contentId=1
v3 (onion)
cat source/moneymessage-*.html | jq '.name' -r || true
Alphabetizing the group index will make it much easier to navigate. Also having two sub-groups for active (green) link groups and dead (red) link\groups would be helpful to sort out what is recent.
too many posts in series - challenges validity of the graphs (part 1/2/3/4 etc etc)
unsafeipw6wbkzzmj7yqp7bz6j7ivzynggmwxsm6u2wwfmfqrxqrrhyd.onion
unsafeleak
aggregation site / leak platform
v3 (onion)
No response
Original version doesn't seem to work due to an error in the NS Lookup function (not using Tor tunnel).
I modified the original version being inspired by the version of RansomLook.
I'm sure the code could be lighter, I did not check if all import are still necessary.
Need playwrights :
pip3 -r install
playwright install
I cannot do a PR because I modified so many things at the same time, sorry ππ»
The monthly post count has an error, the function calculate all post for the month regardless of the year.
I suggest to check only for the current year :
in sharedutils.py (line 348)
def mounthlypostcount():
'''
returns the number of posts within the current month
'''
post_count = 0
posts = openjson('posts.json')
current_month = datetime.now().month
current_year = datetime.now().year
for post in posts:
datetime_object = datetime.strptime(post['discovered'], '%Y-%m-%d %H:%M:%S.%f')
if datetime_object.year == current_year and datetime_object.month == current_month:
post_count += 1
return post_count
Ps: there is a typo in the name of the function (monthly not mounthly) but not a big deal.
bl4cktorpms2gybrcyt52aakcxt6yn37byb65uama5cimhifcscnqkid.onion
Blacktor
"slug": "http://bl%40ckt0r:bl%40ckt0r@bl4cktorpms2gybrcyt52aakcxt6yn37byb65uama5cimhifcscnqkid.onion/0x00/data-breach.html"
To get the list of victims
v3 (onion)
grep '>Details</a></td>' source/blacktor-*.html --no-filename |cut -f2 -d'"' |cut -f2- -d- |cut -f1 -d.
http://mblogci3rudehaagbryjznltdp33ojwzkq6hn2pckvjq33rycmzczpid.onion
Monti
v3 (onion)
grep '<h5 style="color:#dbdbdb" >' source/monti-*.html | cut -d '>' -f 2 | cut -d '<' -f 1
http://test.cuba4ikm4jakjgmkezytyawtdgr2xymvy6nvzgw5cglswg3si76icnqd.onion/
V is Vendetta
A new blog from Cuba Ransomware Gang
v3 (onion)
grep --no-filename '<a href="/company/' source/vendetta-*.html | cut -d '/' -f 3 | cut -d '"' -f 1 | sort --uniq | grep -v company
http://woqjumaahi662ka26jzxyx7fznbp4kg3bsjar4b52tqkxgm2pylcjlad.onion/
Dataleak
No much actually
v3 (onion)
grep '<h2 class="post-title">' source/dataleak-*.html | cut -d '>' -f 2 | cut -d '<' -f 1
http://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion/
blackbasta
v3 (onion)
unknown, appears down, ret. code 400
A declarative, efficient, and flexible JavaScript library for building user interfaces.
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. πππ
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google β€οΈ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.