Ransomware.live

Interact with the ransomware.live API

Actions16

8-K Filing Actions
- List Filings
CSIRT Entry Actions
- Get CSIRT Entries
Group Actions
- Get Group Details
IOC Actions
- List IOC Groups
- Get Group IOCs
Negotiation Actions
- List Group Negotiations
- Get Negotiation Chat
Press Article Actions
- List Articles
- List Recent Articles
Ransomnote Actions
- List Group Ransomnotes
- Get Ransomnote
Victim Actions
YARA Rule Actions
- Get Group YARA Rules

Overview

This node integrates with the ransomware.live API to retrieve information about victims of ransomware attacks. Specifically, the "List Victims" operation fetches a list of victim entities filtered by various criteria such as ransomware group, sector, country, year, month, and date field type. This node is useful for cybersecurity analysts, threat intelligence teams, or researchers who want to monitor ransomware attack victims based on specific filters.

Practical examples include:

Listing all victims attacked by a particular ransomware group (e.g., LockBit).
Filtering victims in a certain industry sector like healthcare.
Retrieving victims from a specific country or within a given year and month.
Using different date fields (discovered, published, attacked) to refine the time-based filtering.

Properties

Name	Meaning
Group	Filter victims by ransomware group name (e.g., lockbit).
Sector	Filter victims by victim sector (e.g., healthcare).
Country	Filter victims by 2-letter country code (e.g., US, FR).
Year	Filter victims by 4-digit year (e.g., 2024).
Month	Filter victims by 2-digit month (e.g., 03).
Date Field	Select which date field to use for filtering: Discovered (default), Published, or Attacked.

Output

The output is an array of JSON objects representing victim records retrieved from the ransomware.live API. Each object contains details about a victim entity matching the specified filters. The exact structure depends on the API response but typically includes fields such as victim name, associated ransomware group, sector, country, dates related to the incident, and other metadata.

No binary data output is produced by this operation.

Dependencies

Requires an API key credential for the ransomware.live API.
The node uses the base URL https://api-pro.ransomware.live unless overridden by credentials.
Proper configuration of the API authentication credential in n8n is necessary.

Troubleshooting

Unsupported Operation Error: If you select an operation other than "list" for the Victim resource, the node will throw an error indicating unsupported operation. Ensure you choose "list" when working with victims.
Invalid Filters: Providing invalid values for filters like country codes or date formats may result in empty responses or API errors. Verify filter inputs conform to expected formats (e.g., 2-letter country codes, 4-digit years).
Authentication Errors: Missing or incorrect API credentials will cause authentication failures. Confirm that the API key credential is correctly set up and valid.
Empty Results: If no victims match the filters, the output will be an empty array. Try broadening your filters or removing some constraints.

Links and References

ransomware.live API Documentation (for detailed API endpoints and data schema)
n8n Documentation (for general usage of custom nodes and credentials)