Ransomware.live

Interact with the ransomware.live API

Actions16

8-K Filing Actions
- List Filings
CSIRT Entry Actions
- Get CSIRT Entries
Group Actions
- Get Group Details
IOC Actions
- List IOC Groups
- Get Group IOCs
Negotiation Actions
- List Group Negotiations
- Get Negotiation Chat
Press Article Actions
- List Articles
- List Recent Articles
Ransomnote Actions
- List Group Ransomnotes
- Get Ransomnote
Victim Actions
YARA Rule Actions
- Get Group YARA Rules

Overview

This node integrates with the ransomware.live API to retrieve detailed information about ransomware ransom notes. Specifically, the Get Ransomnote operation fetches the content or metadata of a specific ransom note file associated with a given ransomware group.

Typical use cases include:

Security analysts wanting to review ransom notes published by ransomware groups.
Incident responders gathering intelligence on ransomware campaigns.
Threat researchers collecting ransom note samples for analysis or detection rule creation.

For example, you can specify the ransomware group "lockbit" and a ransom note filename like "note1.txt" to retrieve that exact ransom note from the ransomware.live database.

Properties

Name	Meaning
Group	The name of the ransomware group (e.g., "lockbit") whose ransom note you want to retrieve.
Note Name	The filename of the ransom note (e.g., "note1.txt") to fetch from the specified group.

Output

The output is a JSON object representing the ransom note data returned by the ransomware.live API. This typically includes the content and metadata of the ransom note file identified by the group and note name.

If multiple items are returned (unlikely for this operation), they are flattened into an array.
The json field contains the ransom note details.
No binary data output is indicated for this operation.

Example output structure (simplified):

{
  "group": "lockbit",
  "noteName": "note1.txt",
  "content": "Ransom note text here...",
  "metadata": {
    "date": "2023-01-01",
    "id": "12345"
  }
}

Dependencies

Requires an API key credential for the ransomware.live API.
The node uses the base URL https://api-pro.ransomware.live by default but can be configured via credentials.
HTTP GET requests are made to endpoints like /ransomnotes/{group}/{noteName}.

Troubleshooting

Unsupported operation error: Occurs if an invalid operation is selected for the resource. Ensure the operation is exactly "get" when using the "ransomnotes" resource.
Missing required parameters: Both "Group" and "Note Name" must be provided; otherwise, the API call will fail.
API authentication errors: Verify that the API key credential is correctly set up and has necessary permissions.
Network or API errors: Check network connectivity and ransomware.live service status.

Links and References

ransomware.live API Documentation (for detailed API endpoint info)
n8n Documentation (for general node usage and credential setup)