Query Details

Monitor ransomwarelive for companies of interest on ransowmare data leak sites (DLS)

Nf Ransomware Leaksite Monitoring

Query

let clientkeyword = datatable(name:string)["client1","client2","client3","axip","elutia"]; //add clients
let supplierkeyword = datatable(supplier:string)["supplier1","supplier2","supplier3","merchant.id"]; //add suppliers
let thirdpartykeyword = datatable(supplier:string)["thirdparty1","thunderbirdcc"]; //add third parties
let victims = externaldata(country:string,
        description:string,
        Country:string,
        discovered:string,
        group_name:string,
        post_title:string,
        post_url:string,
        published:string,
        screenshot:string,
        website:string)
[h@"https://api.ransomware.live/recentvictims"]
with(format="multijson",ignoreFirstRecord=false);
victims
| where post_title has_any (clientkeyword) or post_title has_any (supplierkeyword) or post_title has_any (thirdpartykeyword)

About this query

Explanation

This query helps monitor the ransomware.live dataset for companies of interest that may have been breached and posted on data leak sites by ransomware groups. It allows you to check if relevant third parties, suppliers, or clients have been compromised, posing a risk to your organization.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: June 7, 2024

Tables

victims

Keywords

CompaniesRansomwareDataLeakSitesSupplyChainRiskClientsSuppliersThirdPartiesBreachedPostedGroupsIndirectDirectDatasetCompromisedPresentMonitorExternalOperatorSentinelEndpoint.

Operators

letexternaldatadatatablehas_anyorwhere

MITRE Techniques

Actions

GitHub