Skip to content

dls-monitor scan public Data Leak Sites to detect and track ransomware attacks for threat intelligence purposes

License

Notifications You must be signed in to change notification settings

adminlove520/dls-monitor

 
 

Repository files navigation

DLS-MONITOR

dls-monitor trails the extortion sites used by ransomware groups (the Data Leak Sites) and surfaces an aggregated feed of claims.

This project is kept open source for information sharing purposes related to global cybersecurity threats.

Derived from the ransomwatch project, dls-monitor is managed and maintained entirely in Italy, representing an independent alternative in the EU area.

Please use the issue template when submitting new groups.


⚠️

Content within posts.json, groups.json alongside the docs/ & source/ directories is dynamically generated based on hosting choices of real-world threat actors in near-real-time.

Whilst sanitisation efforts have been taken, by viewing or accessing dls-monitor you acknowledge you are doing so at your own risk.


Key outputs

  • groups.json contains hosts, nodes, relays and mirrors for a tracked group or actor
  • posts.json contains extracted posts, noted by their discovery time and accountable group

Technicals

This is a live repository that utilizes a combination of GitHub actions and a service container. it visits, parses, and reports on monitored hosts in near-real-time in a self-contained manner.

Content fetching is done with psf/requests - if rendering is required mozilla/geckodriver and seleniumhq/selenium are leveraged.

The frontend is ultimately generated with markdown, using markdown.py and served with docsifyjs/docsify thanks to pages.github.com.

Graphs or visualisations are generated with plotting.py with the help of matplotlib/matplotlib.

Post indexing is done with a mix of grep, awk and sed within parsers.py.

Tools

Rendered HTML for each page is viewable within the source directory

  • screenshotter.py a playwright script to generate high-resolution screenshots of online hosts
  • srcanalyser.py a basic extractor for emails, internal and external links found within page source
  • browse-hosts.sh a simple cURL based iterator for sweeping URL checks
  • sources.zsh an aggregator of various locations that surface new groups for ransomwatch
  • uptimekuma-importer.py a script to convert the group data into a uptime-kuma configuration file
  • parsers.sh a health-check script that provides details on parsers that are returning no fields

A flattened version of groups.json with each host as its own object can be found at assets/groups-kv.json. the structure is an array of objects, each representing a distinct entity/group with each containing all properties (like name, captcha, parser, etc.) at the same level, including potential repetition on elements such as profile and meta. some data analysis tools work with this structure in an easier manner requiring less transposing.

Datamap

    groups_json ||--|{ group : contains
    group {
        string name "group name"
        boolean captcha "captcha status"
        boolean parser "parser status"
        boolean javascript_render "javascript status"
        string meta "freeform text"
        string url "notable articles and references"
    }
    group ||--|{ locations : has
    locations {
        string fqdn "fully qualified domain name"
        string title "page title"
        int version "hidden service version"
        string slug "full URI"
        boolean available "availability status"
        datetime updated "timestamp of last update"
        datetime lastscrape "timestamp of last scrape"
        boolean enabled "status"
    }
    group ||--|{ post : references
    post {
        string post_title "post title"
        string group_name "associated group name"
        datetime discovered "timestamp of discovery"
    }

dls-monitor is licensed under unlicense.org

About

dls-monitor scan public Data Leak Sites to detect and track ransomware attacks for threat intelligence purposes

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • HTML 99.8%
  • Other 0.2%