Ransomware.live

Interact with the ransomware.live API

Actions16

8-K Filing Actions
- List Filings
CSIRT Entry Actions
- Get CSIRT Entries
Group Actions
- Get Group Details
IOC Actions
- List IOC Groups
- Get Group IOCs
Negotiation Actions
- List Group Negotiations
- Get Negotiation Chat
Press Article Actions
- List Articles
- List Recent Articles
Ransomnote Actions
- List Group Ransomnotes
- Get Ransomnote
Victim Actions
YARA Rule Actions
- Get Group YARA Rules

Overview

This node integrates with the ransomware.live API to retrieve Indicators of Compromise (IOCs) related to ransomware groups. Specifically, the "Get Group IOCs" operation fetches IOC data filtered by a ransomware group name and optionally by IOC type (such as md5 hashes, IP addresses, or email addresses). This is useful for cybersecurity analysts and threat intelligence teams who want to gather up-to-date threat indicators associated with specific ransomware groups to enhance detection, monitoring, and response efforts.

Practical examples include:

Fetching all known IP addresses used by a ransomware group like "lockbit3" to block malicious traffic.
Retrieving file hashes (md5) linked to ransomware samples from a particular group for malware scanning.
Collecting email addresses involved in phishing campaigns attributed to a ransomware actor.

Properties

Name	Meaning
IOC Type	Filter by IOC type. Options include types such as `md5`, `ip`, `email`.
Group	The ransomware group name to look up IOCs for (e.g., `lockbit3`). This is a required field.

Output

The output is a JSON array containing the IOC data retrieved from the ransomware.live API for the specified ransomware group and optional IOC type filter. Each item in the array represents an individual IOC record with details as provided by the API.

No binary data output is produced by this node.

Dependencies

Requires an API key credential for the ransomware.live API.
The node uses the base URL https://api-pro.ransomware.live by default but can be configured via credentials.
Proper network access to the ransomware.live API endpoint is necessary.

Troubleshooting

Unsupported Operation or Resource Errors: If you select an unsupported operation or resource combination, the node throws an error indicating the unsupported action. Ensure you use only supported operations (get for IOC resource).
Missing Required Parameters: The "Group" property is mandatory. Omitting it will cause errors.
API Authentication Failures: Invalid or missing API credentials will result in authentication errors. Verify that the API key credential is correctly configured.
Empty or Unexpected Responses: If no IOCs are found for the given group/type, the output may be empty or minimal. Confirm the group name and IOC type are valid and exist in the ransomware.live database.
Network Issues: Connectivity problems to the ransomware.live API endpoint will cause request failures. Check your network and firewall settings.

Links and References

ransomware.live API Documentation (for detailed API usage and IOC definitions)
Cyber Threat Intelligence Best Practices (general guidance on using IOCs effectively)