Ransomware.live

Interact with the ransomware.live API

Actions16

8-K Filing Actions
- List Filings
CSIRT Entry Actions
- Get CSIRT Entries
Group Actions
- Get Group Details
IOC Actions
- List IOC Groups
- Get Group IOCs
Negotiation Actions
- List Group Negotiations
- Get Negotiation Chat
Press Article Actions
- List Articles
- List Recent Articles
Ransomnote Actions
- List Group Ransomnotes
- Get Ransomnote
Victim Actions
YARA Rule Actions
- Get Group YARA Rules

Overview

This node integrates with the ransomware.live API to retrieve data related to ransomware negotiations. Specifically, the Get Negotiation Chat operation fetches the chat transcript or messages associated with a particular negotiation group and chat ID. This is useful for cybersecurity analysts, incident responders, or threat intelligence teams who want to review communication logs between ransomware victims and attackers or monitor ongoing negotiations.

Practical examples:

Retrieving chat history from a known ransomware group (e.g., "lockbit") for analysis.
Monitoring negotiation conversations to gather intelligence on attacker demands or tactics.
Archiving negotiation chats for reporting or legal purposes.

Properties

Name	Meaning
Group	The name of the ransomware group involved in the negotiation (e.g., "lockbit").
Chat ID	The identifier of the chat file (filename without extension) representing the chat session (e.g., "20240517").

Output

The output JSON contains the data returned by the ransomware.live API endpoint for the specified negotiation group and chat ID. Typically, this will be the chat transcript or messages exchanged during that negotiation.

The structure depends on the API response but generally includes details such as timestamps, sender identities, and message content.
If multiple items are returned, they are flattened into an array of JSON objects.
No binary data output is indicated for this operation.

Dependencies

Requires an API key credential for the ransomware.live API.
The node uses the base URL https://api-pro.ransomware.live by default unless overridden by the credential configuration.
Proper network access to the ransomware.live API endpoint is necessary.

Troubleshooting

Unsupported operation error: If you select an operation other than "getChat" for the "Negotiation" resource, the node will throw an error indicating unsupported operation.
Missing required parameters: Both "Group" and "Chat ID" are mandatory. Omitting either will cause the node to fail.
Authentication errors: Ensure the API key credential is correctly configured and valid.
API rate limits or downtime: The node relies on external API availability; network issues or rate limiting may cause failures.
Malformed chat ID or group name: Incorrect encoding or invalid names might result in 404 or empty responses.

To resolve these:

Double-check input parameters.
Verify API credentials.
Review API status or contact ransomware.live support if persistent issues occur.

Links and References

ransomware.live API Documentation (for detailed API endpoints and data formats)
n8n Documentation (for general usage of custom nodes and credentials)