Query Details

Monitor ransomwarelive for companies of interest on ransowmare data leak sites (DLS)

Ransomware Leaksite Montitoring

Query

//basic KQL to query recentvictims API
let victims = externaldata(country:string,
        activity:string,
        description:string,
        discovered:string,
        group_name:string,
        post_title:string,
        post_url:string,
        published:string,
        screenshot:string,
        website:string,
        infostealer:dynamic)
[h@"https://api.ransomware.live/recentvictims"]
with(format="multijson",ignoreFirstRecord=false);
victims

About this query

Explanation

This document outlines a series of KQL (Kusto Query Language) queries designed to monitor ransomware data leak sites (DLS) for potential threats to companies of interest, such as clients, suppliers, or third parties. Here's a simple breakdown of what each query does:

  1. Basic Query for Recent Victims:

    • This query retrieves data from the "recent victims" API of ransomware.live. It collects information about recent ransomware attacks, including details like the country, activity, description, and the group responsible.
  2. Query for Detecting Third-Party Compromise:

    • This query is designed to identify potential compromises of third parties, clients, or suppliers by checking if their names appear in the titles of posts on ransomware data leak sites. It uses predefined lists of client, supplier, and third-party names to filter the data.
  3. Query for All Victims Data:

    • This query fetches comprehensive data on all cyberattacks listed on ransomware.live, including details such as the date, victim's name, domain, country, and a summary of the attack.
  4. Query for Group Information:

    • This query retrieves information about ransomware groups from the ransomware.live API. It focuses on groups with names containing "abyss" and provides details about their locations, profiles, and other metadata.

Overall, these queries are intended to help organizations monitor potential supply chain risks and identify if any associated entities have been compromised and listed on ransomware data leak sites. This can help in assessing indirect or direct risks to the organization.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: October 20, 2024

Tables

victimsclientkeywordsupplierkeywordthirdpartykeywordall_victimsgroups

Keywords

RansomwareDataLeakSitesCompaniesSupplyChainRiskThirdPartiesSuppliersClientsOrganisationVictimsAPIRecentPartyCompromiseSiteCyberattacksGroups

Operators

externaldataletdatatablehas_anywheremv-expandproject

MITRE Techniques

Actions

GitHub