RansomWatch
RansomWatch is a ransomware leak site monitoring tool. It will scrape all of the entries on various ransomware leak sites, store the data in a SQLite database, and send notifications via Slack or Discord when a new victim shows up, or when a victim is removed.
Configuration
In config_vol/
, please copy config.sample.yaml
to config.yaml
, and add the following:
- Leak site URLs. I decided not to make this list public in order to prevent them from gaining even more noteriety, so if you have them, add them in. If not, this tool isn't for you.
- Notification destinations. RansomWatch currently supports notifying via.the following:
Additionally, there are a few environment variables you may need to set:
RW_DB_PATH
: Path for the SQLite database to useRW_CONFIG_PATH
: Path to theconfig.yaml
file
These are both set in the provided docker-compose.yml
.
Usage
This is intended to be run in Docker via a cronjob on whatever increment you decide to use.
First, build the container: docker-compose build app
Then, add it to your crontab. Example crontab entry (running every 8 hours):
0 */8 * * * cd /path/to/ransomwatch && docker-compose up --abort-on-container-exit
If you'd prefer, you can use the image published on Docker Hub (captaingeech/ransomwatch
) instead, with a docker-compose.yml
that looks something like this:
version: "3"
services:
app:
image: captaingeech/ransomwatch:latest
depends_on:
- proxy
volumes:
- ./db_vol:/db
- ./config_vol:/config
environment:
PYTHONUNBUFFERED: 1
RW_DB_PATH: /db/ransomwatch.db
RW_CONFIG_PATH: /config/config.yaml
proxy:
image: captaingeech/tor-proxy:latest
This can also be run via the command line, but that requires you to have your own Tor proxy (with the control service) running. Example execution:
$ RW_DB_PATH=./db_vol/ransomwatch.db RW_CONFIG_PATH=./config_vol/config.yaml python3 src/ransomwatch.py
Example Slack Messages
The messages sent to Discord are very similar in style, identical in content.
Leak Site Implementations
The following leak sites are (planned to be) supported:
- Conti
- MAZE
- Egregor
- Sodinokibi/REvil
- DoppelPaymer (captcha, prob won't be supported for a while)
- NetWalker
- Pysa
- Avaddon
- DarkSide
- CL0P
- Nefilim
- Mount Locker
- Suncrypt
- Everest
- Ragnarok
- Ragnar_Locker
- BABUK LOCKER
- Pay2Key
- Cuba
- RansomEXX
- Pay2Key
- Ranzy Locker
- Astro Team
- LV
If there are other leak sites you want implemented, feel free to open a PR or DM me on Twitter, @captainGeech42