Ransomware.live

Interact with the ransomware.live API

Actions16

8-K Filing Actions
- List Filings
CSIRT Entry Actions
- Get CSIRT Entries
Group Actions
- Get Group Details
IOC Actions
- List IOC Groups
- Get Group IOCs
Negotiation Actions
- List Group Negotiations
- Get Negotiation Chat
Press Article Actions
- List Articles
- List Recent Articles
Ransomnote Actions
- List Group Ransomnotes
- Get Ransomnote
Victim Actions
YARA Rule Actions
- Get Group YARA Rules

Overview

This node integrates with the ransomware.live API to retrieve information about ransomware negotiations. Specifically, the "List Group Negotiations" operation fetches negotiation data related to a specified ransomware group. This is useful for cybersecurity analysts, threat intelligence teams, or incident responders who want to monitor ongoing or past ransom negotiations involving particular ransomware groups.

Practical examples include:

Listing all negotiation records associated with a ransomware group like "lockbit" to analyze their negotiation patterns.
Tracking communication threads or chat histories related to ransom demands from specific groups.
Integrating negotiation data into security dashboards or automated workflows for alerting and reporting.

Properties

Name	Meaning
Group	Ransomware group name (e.g., "lockbit")

The "Group" property is required and specifies the ransomware group whose negotiations you want to list.

Output

The node outputs JSON data representing the negotiation records retrieved from the ransomware.live API for the specified group. The structure depends on the API response but generally includes details about each negotiation instance such as timestamps, involved parties, status, and possibly messages exchanged.

If multiple negotiation records are returned, they are output as an array of JSON objects. If a single object is returned, it is wrapped in a JSON object under the json field.

No binary data output is produced by this operation.

Dependencies

Requires an API key credential for the ransomware.live API.
The node uses the base URL https://api-pro.ransomware.live by default unless overridden by credentials.
Proper configuration of the API authentication credential within n8n is necessary for successful requests.

Troubleshooting

Common issues:
- Missing or invalid API credentials will cause authentication failures.
- Providing an unsupported operation or resource combination will throw an error.
- Incorrect or misspelled ransomware group names may result in empty responses or errors.
Error messages:
- "Unsupported operation \"listByGroup\" for resource \"negotiations\"" indicates that the operation name was mistyped or not supported.
- Network or authentication errors typically indicate problems with the API key or connectivity.
Resolutions:
- Verify that the API key credential is correctly set up and has proper permissions.
- Double-check the spelling and casing of the ransomware group name.
- Ensure the operation and resource parameters match exactly as defined.

Links and References

ransomware.live API Documentation (for detailed API endpoints and data structures)
n8n Documentation (for general node usage and credential setup)