analyzing-ransomware-leak-site-intelligence

监控和分析勒索软件组织的数据泄露站点(DLS),追踪受害者发布情况,提取组织战术的威胁情报,并评估特定行业的勒索软件风险以实现主动防御。

9 stars

Best use case

analyzing-ransomware-leak-site-intelligence is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

监控和分析勒索软件组织的数据泄露站点(DLS),追踪受害者发布情况,提取组织战术的威胁情报,并评估特定行业的勒索软件风险以实现主动防御。

Teams using analyzing-ransomware-leak-site-intelligence should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/analyzing-ransomware-leak-site-intelligence/SKILL.md --create-dirs "https://raw.githubusercontent.com/killvxk/cybersecurity-skills-zh/main/skills/analyzing-ransomware-leak-site-intelligence/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/analyzing-ransomware-leak-site-intelligence/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How analyzing-ransomware-leak-site-intelligence Compares

Feature / Agentanalyzing-ransomware-leak-site-intelligenceStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

监控和分析勒索软件组织的数据泄露站点(DLS),追踪受害者发布情况,提取组织战术的威胁情报,并评估特定行业的勒索软件风险以实现主动防御。

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# 分析勒索软件数据泄露站点情报

## 概述

采用双重勒索模式运营的勒索软件(Ransomware)组织在 Tor 隐藏服务上维护数据泄露站点(DLS),在那里发布受害者名称、被盗数据样本和倒计时器以施压付款。2025 年上半年,96 个独特勒索软件组织活跃,每月约发布 535 名受害者。监控这些站点提供了关于活跃威胁组织、目标行业、地理模式和新兴勒索软件家族的情报。本技能涵盖安全收集 DLS 情报、提取结构化数据、追踪组织活动趋势,以及生成行业特定风险评估。

## 前置条件

- Python 3.9+,安装 `requests`、`beautifulsoup4`、`pandas`、`matplotlib` 库
- Tor 代理(SOCKS5)用于访问 .onion 站点,或商业 DLS 监控情报
- 了解勒索软件双重勒索商业模式
- 熟悉主要勒索软件家族(Qilin、Akira、LockBit、BlackCat、Clop)
- 访问勒索软件追踪情报(Ransomwatch、RansomLook、DarkFeed)

## 核心概念

### 双重勒索模式

现代勒索软件组织在加密受害者数据之前还会将其外泄(Exfiltration)。泄露站点作为公开施压工具:受害者以倒计时器、部分数据样本和文件目录的形式被列出。若未支付赎金,完整数据将被公开。部分组织已转向三重勒索,追加 DDoS 威胁或直接联系受害者客户。

### DLS 情报价值

泄露站点提供:受害者识别(公司名称、行业、国家)、攻击时间线(列出时间、截止日期、数据发布时间)、数据量估算、组织能力评估(目标行业、攻击频率、操作节奏),以及趋势分析(新组织出现、组织品牌重塑、执法打击)。

### 安全收集实践

切勿在生产环境中直接访问 DLS 站点。使用专用监控服务(Ransomwatch、DarkFeed、KELA、Flashpoint)、Tor 隔离研究虚拟机、商业威胁情报平台或社区维护的数据集。所有分析应在隔离环境中进行,并获得适当授权。

## 实践步骤

### 步骤 1:从公开情报源导入勒索软件泄露站点数据

```python
import requests
import json
import pandas as pd
from datetime import datetime, timedelta
from collections import Counter

class RansomwareIntelCollector:
    """从公开追踪来源收集勒索软件 DLS 情报。"""

    RANSOMWATCH_API = "https://raw.githubusercontent.com/joshhighet/ransomwatch/main/posts.json"
    RANSOMWATCH_GROUPS = "https://raw.githubusercontent.com/joshhighet/ransomwatch/main/groups.json"

    def __init__(self):
        self.posts = []
        self.groups = []

    def fetch_ransomwatch_data(self):
        """从 ransomwatch 获取勒索软件受害者发布数据。"""
        resp = requests.get(self.RANSOMWATCH_API, timeout=30)
        if resp.status_code == 200:
            self.posts = resp.json()
            print(f"[+] 已从 ransomwatch 加载 {len(self.posts)} 条受害者记录")
        else:
            print(f"[-] 获取记录失败: {resp.status_code}")

        resp = requests.get(self.RANSOMWATCH_GROUPS, timeout=30)
        if resp.status_code == 200:
            self.groups = resp.json()
            print(f"[+] 已加载 {len(self.groups)} 个勒索软件组织画像")

        return self.posts

    def get_recent_victims(self, days=30):
        """获取最近 N 天内发布的受害者。"""
        cutoff = datetime.now() - timedelta(days=days)
        recent = []
        for post in self.posts:
            try:
                discovered = datetime.fromisoformat(
                    post.get("discovered", "").replace("Z", "+00:00")
                )
                if discovered.replace(tzinfo=None) >= cutoff:
                    recent.append(post)
            except (ValueError, TypeError):
                continue
        print(f"[+] 最近 {days} 天内 {len(recent)} 名受害者")
        return recent

    def get_group_activity(self, group_name):
        """获取特定勒索软件组织的所有发布记录。"""
        group_posts = [
            p for p in self.posts
            if p.get("group_name", "").lower() == group_name.lower()
        ]
        print(f"[+] {group_name}: 共 {len(group_posts)} 名受害者")
        return group_posts

collector = RansomwareIntelCollector()
collector.fetch_ransomwatch_data()
recent = collector.get_recent_victims(days=30)
```

### 步骤 2:分析组织活动和趋势

```python
def analyze_group_trends(posts, top_n=15):
    """分析勒索软件组织活动趋势。"""
    group_counts = Counter(p.get("group_name", "unknown") for p in posts)
    monthly_activity = {}

    for post in posts:
        try:
            date = datetime.fromisoformat(
                post.get("discovered", "").replace("Z", "+00:00")
            )
            month_key = date.strftime("%Y-%m")
            group = post.get("group_name", "unknown")
            if month_key not in monthly_activity:
                monthly_activity[month_key] = Counter()
            monthly_activity[month_key][group] += 1
        except (ValueError, TypeError):
            continue

    analysis = {
        "total_posts": len(posts),
        "unique_groups": len(group_counts),
        "top_groups": group_counts.most_common(top_n),
        "monthly_totals": {
            month: sum(counts.values())
            for month, counts in sorted(monthly_activity.items())
        },
        "monthly_top_groups": {
            month: counts.most_common(5)
            for month, counts in sorted(monthly_activity.items())
        },
    }

    print(f"\n=== 勒索软件组织活动 ===")
    print(f"追踪受害者总数: {analysis['total_posts']}")
    print(f"活跃组织数量: {analysis['unique_groups']}")
    print(f"\n前 {top_n} 活跃组织:")
    for group, count in analysis["top_groups"]:
        print(f"  {group}: {count} 名受害者")

    return analysis

trends = analyze_group_trends(collector.posts)
```

### 步骤 3:行业和地理风险评估

```python
def assess_sector_risk(posts, target_sector=None, target_country=None):
    """评估特定行业或地区的勒索软件风险。"""
    sector_data = {}
    country_data = {}

    for post in posts:
        # 提取行业(并非所有情报源都包含此字段)
        sector = post.get("sector", post.get("industry", "unknown"))
        country = post.get("country", "unknown")

        if sector not in sector_data:
            sector_data[sector] = {"count": 0, "groups": Counter(), "recent": []}
        sector_data[sector]["count"] += 1
        sector_data[sector]["groups"][post.get("group_name", "")] += 1

        if country not in country_data:
            country_data[country] = {"count": 0, "groups": Counter()}
        country_data[country]["count"] += 1
        country_data[country]["groups"][post.get("group_name", "")] += 1

    # 行业风险评分
    total = len(posts)
    risk_assessment = {
        "total_victims": total,
        "sectors": {},
        "countries": {},
    }

    for sector, data in sorted(sector_data.items(), key=lambda x: -x[1]["count"]):
        pct = (data["count"] / total * 100) if total > 0 else 0
        risk_assessment["sectors"][sector] = {
            "victim_count": data["count"],
            "percentage": round(pct, 1),
            "top_groups": data["groups"].most_common(5),
            "risk_level": (
                "critical" if pct > 15
                else "high" if pct > 8
                else "medium" if pct > 3
                else "low"
            ),
        }

    for country, data in sorted(country_data.items(), key=lambda x: -x[1]["count"]):
        pct = (data["count"] / total * 100) if total > 0 else 0
        risk_assessment["countries"][country] = {
            "victim_count": data["count"],
            "percentage": round(pct, 1),
            "top_groups": data["groups"].most_common(5),
        }

    return risk_assessment

risk = assess_sector_risk(collector.posts)
```

### 步骤 4:追踪新兴和品牌重塑的组织

```python
def track_new_groups(posts, lookback_days=90):
    """识别新出现的勒索软件组织。"""
    group_first_seen = {}
    for post in posts:
        group = post.get("group_name", "")
        try:
            date = datetime.fromisoformat(
                post.get("discovered", "").replace("Z", "+00:00")
            )
            if group not in group_first_seen or date < group_first_seen[group]["first_seen"]:
                group_first_seen[group] = {
                    "first_seen": date,
                    "first_victim": post.get("post_title", ""),
                }
        except (ValueError, TypeError):
            continue

    cutoff = datetime.now() - timedelta(days=lookback_days)
    new_groups = {
        group: info for group, info in group_first_seen.items()
        if info["first_seen"].replace(tzinfo=None) >= cutoff
    }

    # 统计每个新组织的受害者总数
    for group in new_groups:
        victims = [p for p in posts if p.get("group_name") == group]
        new_groups[group]["total_victims"] = len(victims)
        new_groups[group]["avg_per_month"] = round(
            len(victims) / max(1, lookback_days / 30), 1
        )

    print(f"\n=== 新组织(最近 {lookback_days} 天)===")
    for group, info in sorted(new_groups.items(), key=lambda x: -x[1]["total_victims"]):
        print(f"  {group}: {info['total_victims']} 名受害者, "
              f"首次发现 {info['first_seen'].strftime('%Y-%m-%d')}")

    return new_groups

new_groups = track_new_groups(collector.posts, lookback_days=90)
```

### 步骤 5:生成情报报告

```python
def generate_ransomware_intel_report(trends, risk, new_groups):
    """生成勒索软件威胁情报报告。"""
    report = f"""# 勒索软件威胁情报报告
生成时间: {datetime.now().isoformat()}

## 执行摘要
- **追踪受害者总数**: {trends['total_posts']}
- **活跃勒索软件组织**: {trends['unique_groups']}
- **新兴组织(最近 90 天)**: {len(new_groups)}

## 最活跃组织
| 排名 | 组织 | 受害者数 |
|------|-------|---------|
"""
    for i, (group, count) in enumerate(trends["top_groups"][:10], 1):
        report += f"| {i} | {group} | {count} |\n"

    report += "\n## 新兴组织\n"
    for group, info in sorted(new_groups.items(), key=lambda x: -x[1]["total_victims"])[:10]:
        report += f"- **{group}**: {info['total_victims']} 名受害者,首次出现于 {info['first_seen'].strftime('%Y-%m-%d')}\n"

    report += "\n## 行业风险评估\n"
    report += "| 行业 | 受害者数 | 占比 | 风险级别 |\n|--------|---------|---|------------|\n"
    for sector, data in list(risk["sectors"].items())[:10]:
        report += f"| {sector} | {data['victim_count']} | {data['percentage']}% | {data['risk_level'].upper()} |\n"

    report += """
## 建议措施
1. 每日监控 DLS 情报,关注您的组织及供应链合作伙伴
2. 优先修补被最活跃组织利用的漏洞
3. 实施离线备份策略以降低勒索杠杆
4. 针对勒索软件场景开展桌面演练
5. 与行业 ISAC 和威胁共享社区共享指标
"""
    with open("ransomware_intel_report.md", "w") as f:
        f.write(report)
    print("[+] 报告已保存: ransomware_intel_report.md")
    return report

generate_ransomware_intel_report(trends, risk, new_groups)
```

## 验收标准

- 从公开追踪情报成功导入勒索软件受害者数据
- 分析组织活动趋势(含月度分类)
- 生成行业和地理风险评估
- 识别新兴组织并提供活动指标
- 生成包含可执行建议的情报报告
- 所有收集工作通过经授权的公开来源进行

## 参考资料

- [Ransomwatch GitHub](https://github.com/joshhighet/ransomwatch)
- [SOCRadar: Top Ransomware Statistics 2025](https://socradar.io/blog/top-20-ransomware-statistics-to-know-2025/)
- [Bitsight: Ransomware & Deep Web Trends](https://www.bitsight.com/underground/ransomware)
- [Sophos: Threat Intelligence Report 2025](https://www.sophos.com/en-us/blog/threat-intelligence-executive-report-volume-2025-number-6)
- [H-ISAC: Ransomware Data Leak Sites Report](https://www.aha.org/h-isac-green-reports/2025-08-26-h-isac-tlp-ransomware-data-leak-sites-report-august-26-2025)
- [CYFIRMA: Weekly Intelligence Reports](https://www.cyfirma.com/news/weekly-intelligence-report-16-january-2026/)

Related Skills

reverse-engineering-ransomware-encryption-routine

9
from killvxk/cybersecurity-skills-zh

对勒索软件加密例程进行逆向工程,以识别密码学算法、密钥生成缺陷,以及通过静态和动态分析挖掘潜在的解密机会。

recovering-from-ransomware-attack

9
from killvxk/cybersecurity-skills-zh

按照 NIST 和 CISA 框架执行结构化勒索软件事件恢复,包括环境隔离、取证证据保全、 干净基础设施重建、从已验证备份优先还原系统、凭据重置,以及针对再感染的验证。 涵盖 Active Directory 恢复、数据库还原和按依赖顺序重建应用栈。

performing-threat-intelligence-sharing-with-misp

9
from killvxk/cybersecurity-skills-zh

使用 PyMISP 在 MISP 平台上创建、丰富和共享威胁情报事件,包括 IOC 管理、情报源集成、STIX 导出及社区共享工作流

performing-ransomware-tabletop-exercise

9
from killvxk/cybersecurity-skills-zh

规划并主持模拟勒索软件(Ransomware)事件的桌面推演,以测试组织的应急准备、决策能力和通信流程。基于当前勒索软件威胁行为者(LockBit、ALPHV/BlackCat、Cl0p)设计真实场景,涵盖双重勒索(Double Extortion)、备份销毁和法规通知要求等注入内容。依据 NIST CSF 和 CISA 指南评估参与者响应。适用于勒索软件桌面推演、事件响应演练或勒索软件应急准备演习等请求。

performing-ransomware-response

9
from killvxk/cybersecurity-skills-zh

执行结构化的勒索软件事件响应,从初始检测到遏制、取证分析、解密评估、恢复和事后加固。 处理勒索谈判考量、备份完整性验证和法规通知要求。适用于勒索软件响应、 勒索软件恢复、加密勒索软件、数据加密攻击、赎金支付决策或勒索软件遏制等请求场景。

performing-ransomware-incident-response

9
from killvxk/cybersecurity-skills-zh

执行结构化的勒索软件事件响应,包括遏制、解密评估、从备份恢复以及根除勒索软件持久化机制。

performing-paste-site-monitoring-for-credentials

9
from killvxk/cybersecurity-skills-zh

使用自动化抓取和关键词匹配技术,监控 Pastebin 和 GitHub Gists 等粘贴站点上的泄露凭证、API 密钥和敏感数据转储,实现早期泄露检测

performing-open-source-intelligence-gathering

9
from killvxk/cybersecurity-skills-zh

开源情报(OSINT)收集是红队演练的第一个主动阶段,操作员收集关于目标组织的公开可用信息,以识别攻击面、社会工程学目标、技术栈和凭据泄露情况。

managing-intelligence-lifecycle

9
from killvxk/cybersecurity-skills-zh

管理端到端网络威胁情报生命周期,从规划和指导,经过收集、处理、分析、传播到反馈,确保情报产品满足相关方需求并持续改进。当建立或成熟化 CTI 计划、与业务相关方定义情报需求,或在情报消费者和生产者之间建立反馈循环时使用。适用于涉及 CTI 计划成熟度、情报需求、PIR 或情报生命周期管理的请求。

investigating-ransomware-attack-artifacts

9
from killvxk/cybersecurity-skills-zh

识别、收集和分析勒索软件攻击制品,以确定变种、初始访问向量、加密范围和恢复选项。

implementing-threat-intelligence-platform

9
from killvxk/cybersecurity-skills-zh

构建以 MISP 为后端的威胁情报平台,从多个 Feed 摄入 IOC,通过 Galaxy 集群关联事件,并通过 VirusTotal 和 AbuseIPDB 富化指标。使用 PyMISP 创建事件、添加带 IDS 标志的属性、标记 MITRE ATT&CK 技术,并导出 STIX 2.1 Bundle 供下游 SIEM 消费。

implementing-threat-intelligence-lifecycle-management

9
from killvxk/cybersecurity-skills-zh

实现结构化威胁情报生命周期,涵盖规划、收集、处理、分析、传播和反馈阶段,为组织决策生产可操作情报。