analyzing-ransomware-leak-site-intelligence
监控和分析勒索软件组织的数据泄露站点(DLS),追踪受害者发布情况,提取组织战术的威胁情报,并评估特定行业的勒索软件风险以实现主动防御。
Best use case
analyzing-ransomware-leak-site-intelligence is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
监控和分析勒索软件组织的数据泄露站点(DLS),追踪受害者发布情况,提取组织战术的威胁情报,并评估特定行业的勒索软件风险以实现主动防御。
Teams using analyzing-ransomware-leak-site-intelligence should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/analyzing-ransomware-leak-site-intelligence/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How analyzing-ransomware-leak-site-intelligence Compares
| Feature / Agent | analyzing-ransomware-leak-site-intelligence | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
监控和分析勒索软件组织的数据泄露站点(DLS),追踪受害者发布情况,提取组织战术的威胁情报,并评估特定行业的勒索软件风险以实现主动防御。
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# 分析勒索软件数据泄露站点情报
## 概述
采用双重勒索模式运营的勒索软件(Ransomware)组织在 Tor 隐藏服务上维护数据泄露站点(DLS),在那里发布受害者名称、被盗数据样本和倒计时器以施压付款。2025 年上半年,96 个独特勒索软件组织活跃,每月约发布 535 名受害者。监控这些站点提供了关于活跃威胁组织、目标行业、地理模式和新兴勒索软件家族的情报。本技能涵盖安全收集 DLS 情报、提取结构化数据、追踪组织活动趋势,以及生成行业特定风险评估。
## 前置条件
- Python 3.9+,安装 `requests`、`beautifulsoup4`、`pandas`、`matplotlib` 库
- Tor 代理(SOCKS5)用于访问 .onion 站点,或商业 DLS 监控情报
- 了解勒索软件双重勒索商业模式
- 熟悉主要勒索软件家族(Qilin、Akira、LockBit、BlackCat、Clop)
- 访问勒索软件追踪情报(Ransomwatch、RansomLook、DarkFeed)
## 核心概念
### 双重勒索模式
现代勒索软件组织在加密受害者数据之前还会将其外泄(Exfiltration)。泄露站点作为公开施压工具:受害者以倒计时器、部分数据样本和文件目录的形式被列出。若未支付赎金,完整数据将被公开。部分组织已转向三重勒索,追加 DDoS 威胁或直接联系受害者客户。
### DLS 情报价值
泄露站点提供:受害者识别(公司名称、行业、国家)、攻击时间线(列出时间、截止日期、数据发布时间)、数据量估算、组织能力评估(目标行业、攻击频率、操作节奏),以及趋势分析(新组织出现、组织品牌重塑、执法打击)。
### 安全收集实践
切勿在生产环境中直接访问 DLS 站点。使用专用监控服务(Ransomwatch、DarkFeed、KELA、Flashpoint)、Tor 隔离研究虚拟机、商业威胁情报平台或社区维护的数据集。所有分析应在隔离环境中进行,并获得适当授权。
## 实践步骤
### 步骤 1:从公开情报源导入勒索软件泄露站点数据
```python
import requests
import json
import pandas as pd
from datetime import datetime, timedelta
from collections import Counter
class RansomwareIntelCollector:
"""从公开追踪来源收集勒索软件 DLS 情报。"""
RANSOMWATCH_API = "https://raw.githubusercontent.com/joshhighet/ransomwatch/main/posts.json"
RANSOMWATCH_GROUPS = "https://raw.githubusercontent.com/joshhighet/ransomwatch/main/groups.json"
def __init__(self):
self.posts = []
self.groups = []
def fetch_ransomwatch_data(self):
"""从 ransomwatch 获取勒索软件受害者发布数据。"""
resp = requests.get(self.RANSOMWATCH_API, timeout=30)
if resp.status_code == 200:
self.posts = resp.json()
print(f"[+] 已从 ransomwatch 加载 {len(self.posts)} 条受害者记录")
else:
print(f"[-] 获取记录失败: {resp.status_code}")
resp = requests.get(self.RANSOMWATCH_GROUPS, timeout=30)
if resp.status_code == 200:
self.groups = resp.json()
print(f"[+] 已加载 {len(self.groups)} 个勒索软件组织画像")
return self.posts
def get_recent_victims(self, days=30):
"""获取最近 N 天内发布的受害者。"""
cutoff = datetime.now() - timedelta(days=days)
recent = []
for post in self.posts:
try:
discovered = datetime.fromisoformat(
post.get("discovered", "").replace("Z", "+00:00")
)
if discovered.replace(tzinfo=None) >= cutoff:
recent.append(post)
except (ValueError, TypeError):
continue
print(f"[+] 最近 {days} 天内 {len(recent)} 名受害者")
return recent
def get_group_activity(self, group_name):
"""获取特定勒索软件组织的所有发布记录。"""
group_posts = [
p for p in self.posts
if p.get("group_name", "").lower() == group_name.lower()
]
print(f"[+] {group_name}: 共 {len(group_posts)} 名受害者")
return group_posts
collector = RansomwareIntelCollector()
collector.fetch_ransomwatch_data()
recent = collector.get_recent_victims(days=30)
```
### 步骤 2:分析组织活动和趋势
```python
def analyze_group_trends(posts, top_n=15):
"""分析勒索软件组织活动趋势。"""
group_counts = Counter(p.get("group_name", "unknown") for p in posts)
monthly_activity = {}
for post in posts:
try:
date = datetime.fromisoformat(
post.get("discovered", "").replace("Z", "+00:00")
)
month_key = date.strftime("%Y-%m")
group = post.get("group_name", "unknown")
if month_key not in monthly_activity:
monthly_activity[month_key] = Counter()
monthly_activity[month_key][group] += 1
except (ValueError, TypeError):
continue
analysis = {
"total_posts": len(posts),
"unique_groups": len(group_counts),
"top_groups": group_counts.most_common(top_n),
"monthly_totals": {
month: sum(counts.values())
for month, counts in sorted(monthly_activity.items())
},
"monthly_top_groups": {
month: counts.most_common(5)
for month, counts in sorted(monthly_activity.items())
},
}
print(f"\n=== 勒索软件组织活动 ===")
print(f"追踪受害者总数: {analysis['total_posts']}")
print(f"活跃组织数量: {analysis['unique_groups']}")
print(f"\n前 {top_n} 活跃组织:")
for group, count in analysis["top_groups"]:
print(f" {group}: {count} 名受害者")
return analysis
trends = analyze_group_trends(collector.posts)
```
### 步骤 3:行业和地理风险评估
```python
def assess_sector_risk(posts, target_sector=None, target_country=None):
"""评估特定行业或地区的勒索软件风险。"""
sector_data = {}
country_data = {}
for post in posts:
# 提取行业(并非所有情报源都包含此字段)
sector = post.get("sector", post.get("industry", "unknown"))
country = post.get("country", "unknown")
if sector not in sector_data:
sector_data[sector] = {"count": 0, "groups": Counter(), "recent": []}
sector_data[sector]["count"] += 1
sector_data[sector]["groups"][post.get("group_name", "")] += 1
if country not in country_data:
country_data[country] = {"count": 0, "groups": Counter()}
country_data[country]["count"] += 1
country_data[country]["groups"][post.get("group_name", "")] += 1
# 行业风险评分
total = len(posts)
risk_assessment = {
"total_victims": total,
"sectors": {},
"countries": {},
}
for sector, data in sorted(sector_data.items(), key=lambda x: -x[1]["count"]):
pct = (data["count"] / total * 100) if total > 0 else 0
risk_assessment["sectors"][sector] = {
"victim_count": data["count"],
"percentage": round(pct, 1),
"top_groups": data["groups"].most_common(5),
"risk_level": (
"critical" if pct > 15
else "high" if pct > 8
else "medium" if pct > 3
else "low"
),
}
for country, data in sorted(country_data.items(), key=lambda x: -x[1]["count"]):
pct = (data["count"] / total * 100) if total > 0 else 0
risk_assessment["countries"][country] = {
"victim_count": data["count"],
"percentage": round(pct, 1),
"top_groups": data["groups"].most_common(5),
}
return risk_assessment
risk = assess_sector_risk(collector.posts)
```
### 步骤 4:追踪新兴和品牌重塑的组织
```python
def track_new_groups(posts, lookback_days=90):
"""识别新出现的勒索软件组织。"""
group_first_seen = {}
for post in posts:
group = post.get("group_name", "")
try:
date = datetime.fromisoformat(
post.get("discovered", "").replace("Z", "+00:00")
)
if group not in group_first_seen or date < group_first_seen[group]["first_seen"]:
group_first_seen[group] = {
"first_seen": date,
"first_victim": post.get("post_title", ""),
}
except (ValueError, TypeError):
continue
cutoff = datetime.now() - timedelta(days=lookback_days)
new_groups = {
group: info for group, info in group_first_seen.items()
if info["first_seen"].replace(tzinfo=None) >= cutoff
}
# 统计每个新组织的受害者总数
for group in new_groups:
victims = [p for p in posts if p.get("group_name") == group]
new_groups[group]["total_victims"] = len(victims)
new_groups[group]["avg_per_month"] = round(
len(victims) / max(1, lookback_days / 30), 1
)
print(f"\n=== 新组织(最近 {lookback_days} 天)===")
for group, info in sorted(new_groups.items(), key=lambda x: -x[1]["total_victims"]):
print(f" {group}: {info['total_victims']} 名受害者, "
f"首次发现 {info['first_seen'].strftime('%Y-%m-%d')}")
return new_groups
new_groups = track_new_groups(collector.posts, lookback_days=90)
```
### 步骤 5:生成情报报告
```python
def generate_ransomware_intel_report(trends, risk, new_groups):
"""生成勒索软件威胁情报报告。"""
report = f"""# 勒索软件威胁情报报告
生成时间: {datetime.now().isoformat()}
## 执行摘要
- **追踪受害者总数**: {trends['total_posts']}
- **活跃勒索软件组织**: {trends['unique_groups']}
- **新兴组织(最近 90 天)**: {len(new_groups)}
## 最活跃组织
| 排名 | 组织 | 受害者数 |
|------|-------|---------|
"""
for i, (group, count) in enumerate(trends["top_groups"][:10], 1):
report += f"| {i} | {group} | {count} |\n"
report += "\n## 新兴组织\n"
for group, info in sorted(new_groups.items(), key=lambda x: -x[1]["total_victims"])[:10]:
report += f"- **{group}**: {info['total_victims']} 名受害者,首次出现于 {info['first_seen'].strftime('%Y-%m-%d')}\n"
report += "\n## 行业风险评估\n"
report += "| 行业 | 受害者数 | 占比 | 风险级别 |\n|--------|---------|---|------------|\n"
for sector, data in list(risk["sectors"].items())[:10]:
report += f"| {sector} | {data['victim_count']} | {data['percentage']}% | {data['risk_level'].upper()} |\n"
report += """
## 建议措施
1. 每日监控 DLS 情报,关注您的组织及供应链合作伙伴
2. 优先修补被最活跃组织利用的漏洞
3. 实施离线备份策略以降低勒索杠杆
4. 针对勒索软件场景开展桌面演练
5. 与行业 ISAC 和威胁共享社区共享指标
"""
with open("ransomware_intel_report.md", "w") as f:
f.write(report)
print("[+] 报告已保存: ransomware_intel_report.md")
return report
generate_ransomware_intel_report(trends, risk, new_groups)
```
## 验收标准
- 从公开追踪情报成功导入勒索软件受害者数据
- 分析组织活动趋势(含月度分类)
- 生成行业和地理风险评估
- 识别新兴组织并提供活动指标
- 生成包含可执行建议的情报报告
- 所有收集工作通过经授权的公开来源进行
## 参考资料
- [Ransomwatch GitHub](https://github.com/joshhighet/ransomwatch)
- [SOCRadar: Top Ransomware Statistics 2025](https://socradar.io/blog/top-20-ransomware-statistics-to-know-2025/)
- [Bitsight: Ransomware & Deep Web Trends](https://www.bitsight.com/underground/ransomware)
- [Sophos: Threat Intelligence Report 2025](https://www.sophos.com/en-us/blog/threat-intelligence-executive-report-volume-2025-number-6)
- [H-ISAC: Ransomware Data Leak Sites Report](https://www.aha.org/h-isac-green-reports/2025-08-26-h-isac-tlp-ransomware-data-leak-sites-report-august-26-2025)
- [CYFIRMA: Weekly Intelligence Reports](https://www.cyfirma.com/news/weekly-intelligence-report-16-january-2026/)Related Skills
reverse-engineering-ransomware-encryption-routine
对勒索软件加密例程进行逆向工程,以识别密码学算法、密钥生成缺陷,以及通过静态和动态分析挖掘潜在的解密机会。
recovering-from-ransomware-attack
按照 NIST 和 CISA 框架执行结构化勒索软件事件恢复,包括环境隔离、取证证据保全、 干净基础设施重建、从已验证备份优先还原系统、凭据重置,以及针对再感染的验证。 涵盖 Active Directory 恢复、数据库还原和按依赖顺序重建应用栈。
performing-threat-intelligence-sharing-with-misp
使用 PyMISP 在 MISP 平台上创建、丰富和共享威胁情报事件,包括 IOC 管理、情报源集成、STIX 导出及社区共享工作流
performing-ransomware-tabletop-exercise
规划并主持模拟勒索软件(Ransomware)事件的桌面推演,以测试组织的应急准备、决策能力和通信流程。基于当前勒索软件威胁行为者(LockBit、ALPHV/BlackCat、Cl0p)设计真实场景,涵盖双重勒索(Double Extortion)、备份销毁和法规通知要求等注入内容。依据 NIST CSF 和 CISA 指南评估参与者响应。适用于勒索软件桌面推演、事件响应演练或勒索软件应急准备演习等请求。
performing-ransomware-response
执行结构化的勒索软件事件响应,从初始检测到遏制、取证分析、解密评估、恢复和事后加固。 处理勒索谈判考量、备份完整性验证和法规通知要求。适用于勒索软件响应、 勒索软件恢复、加密勒索软件、数据加密攻击、赎金支付决策或勒索软件遏制等请求场景。
performing-ransomware-incident-response
执行结构化的勒索软件事件响应,包括遏制、解密评估、从备份恢复以及根除勒索软件持久化机制。
performing-paste-site-monitoring-for-credentials
使用自动化抓取和关键词匹配技术,监控 Pastebin 和 GitHub Gists 等粘贴站点上的泄露凭证、API 密钥和敏感数据转储,实现早期泄露检测
performing-open-source-intelligence-gathering
开源情报(OSINT)收集是红队演练的第一个主动阶段,操作员收集关于目标组织的公开可用信息,以识别攻击面、社会工程学目标、技术栈和凭据泄露情况。
managing-intelligence-lifecycle
管理端到端网络威胁情报生命周期,从规划和指导,经过收集、处理、分析、传播到反馈,确保情报产品满足相关方需求并持续改进。当建立或成熟化 CTI 计划、与业务相关方定义情报需求,或在情报消费者和生产者之间建立反馈循环时使用。适用于涉及 CTI 计划成熟度、情报需求、PIR 或情报生命周期管理的请求。
investigating-ransomware-attack-artifacts
识别、收集和分析勒索软件攻击制品,以确定变种、初始访问向量、加密范围和恢复选项。
implementing-threat-intelligence-platform
构建以 MISP 为后端的威胁情报平台,从多个 Feed 摄入 IOC,通过 Galaxy 集群关联事件,并通过 VirusTotal 和 AbuseIPDB 富化指标。使用 PyMISP 创建事件、添加带 IDS 标志的属性、标记 MITRE ATT&CK 技术,并导出 STIX 2.1 Bundle 供下游 SIEM 消费。
implementing-threat-intelligence-lifecycle-management
实现结构化威胁情报生命周期,涵盖规划、收集、处理、分析、传播和反馈阶段,为组织决策生产可操作情报。