Ransomware.live

Interact with the ransomware.live API

Actions16

8-K Filing Actions
- List Filings
CSIRT Entry Actions
- Get CSIRT Entries
Group Actions
- Get Group Details
IOC Actions
- List IOC Groups
- Get Group IOCs
Negotiation Actions
- List Group Negotiations
- Get Negotiation Chat
Press Article Actions
- List Articles
- List Recent Articles
Ransomnote Actions
- List Group Ransomnotes
- Get Ransomnote
Victim Actions
YARA Rule Actions
- Get Group YARA Rules

Overview

This node integrates with the ransomware.live API to search for victims of ransomware attacks. It allows users to filter victim data by various criteria such as ransomware group, sector, country, and keyword queries matching victim post titles or websites. This is useful for cybersecurity analysts, threat intelligence teams, or researchers who want to monitor ransomware victim information, track trends, or gather data for further investigation.

Practical examples:

Searching for all victims associated with a specific ransomware group like "lockbit".
Filtering victims in a particular industry sector such as healthcare.
Finding victims located in a specific country using its 2-letter code.
Performing keyword searches to find victims based on relevant posts or website content.

Properties

Name	Meaning
Group	Filter results by ransomware group name (e.g., "lockbit").
Sector	Filter results by victim's sector or industry (e.g., "healthcare").
Country	Filter results by 2-letter country code representing victim location (e.g., "US", "FR").
Search Query	Keyword to match against victim post titles or websites for more targeted searching.

Output

The output is a JSON array containing victim records returned from the ransomware.live API. Each item represents a victim entity with details as provided by the API. The exact structure depends on the API response but typically includes fields related to the victim's identity, associated ransomware group, sector, country, and other metadata.

No binary data output is produced by this node.

Dependencies

Requires an API key credential for the ransomware.live service.
The node makes HTTP GET requests to the ransomware.live API endpoint (default base URL: https://api-pro.ransomware.live).
Proper configuration of the API authentication credential within n8n is necessary.

Troubleshooting

Unsupported operation error: If you select an operation not supported for the Victim resource (other than "list", "search", "recent", or "get"), the node will throw an error indicating unsupported operation. Ensure you use only valid operations.
Missing or invalid API credentials: The node requires a valid API key credential. Failure to provide or incorrect credentials will result in authentication errors.
Empty or no results: If filters are too restrictive or no matching victims exist, the output may be empty. Try broadening your search criteria.
Network or API errors: Temporary network issues or API downtime can cause request failures. Check connectivity and API status.
Invalid parameter values: Providing invalid country codes or group names may lead to no results or errors. Use correct and existing values.

Links and References

ransomware.live API Documentation (for detailed API endpoints and parameters)
n8n Documentation (for general usage of custom nodes and credentials)