RansomWatch is a ransomware leak site monitoring tool. It will scrape all of the entries on various ransomware leak sites, store the data in a SQLite database, and send notifications via Mattermost when a new victim shows up, or when a victim is removed.
The ambition is that future versions will automatically create a threat intelligence feed using the stix and taxii framework.
Note: RansomWatch has been forked from the now unsupported RansomWatch project by captainGeech42.
In config_vol/
, please copy config.sample.yaml
to config.yaml
, and add the following:
- Leak site URLs.
- Notification destinations. RansomWatch will support notifying via Mattermost.
Additionally, there are a few environment variables you may need to set:
RW_DB_PATH
: Path for the SQLite database to useRW_CONFIG_PATH
: Path to theconfig.yaml
file
These are both set in the provided docker-compose.yml
.
This is intended to be run in Docker via docker-compose up -d
version: "3"
services:
app:
name: ransomwatch-2.0
depends_on:
- proxy
volumes:
- ./db_vol:/db
- ./config_vol:/config
environment:
PYTHONUNBUFFERED: 1
RW_DB_PATH: /db/ransomwatch.db
RW_CONFIG_PATH: /config/config.yaml
proxy:
image: captaingeech/tor-proxy:latest
The following leak sites are supported:
- Conti
- Sodinokibi/REvil
- Pysa
- Avaddon
- DarkSide
- CL0P
- Nefilim
- Mount Locker
- Suncrypt
- Everest
- Ragnarok
- Ragnar_Locker
- BABUK LOCKER
- Pay2Key
- Cuba
- RansomEXX
- Pay2Key
- Ranzy Locker
- Astro Team
- BlackMatter
- Arvin
- El_Cometa
- Lorenz
- Lockbit
- AvosLocker
- LV
- Marketo
- Lockdata
- Rook