### Clone and Setup Dragons Eye CLI Source: https://github.com/frknaykc/dragonseye-ransomwaretracker/blob/main/README.md This snippet outlines the initial steps to clone the Dragons Eye repository, set up a Python virtual environment, install dependencies, and configure necessary browsers for CLI-only usage. ```bash git clone https://github.com/dragons-community/DragonsEye-RansomwareTracker.git cd DragonsEye-RansomwareTracker python3 -m venv venv source venv/bin/activate pip install -r requirements.txt playwright install firefox cp env.example .env nano .env ``` -------------------------------- ### Install Python Dependencies Source: https://github.com/frknaykc/dragonseye-ransomwaretracker/blob/main/README.md Installs all necessary Python packages listed in the requirements.txt file. This is a crucial step after setting up the virtual environment. ```bash python3 -m venv venv source venv/bin/activate pip install -r requirements.txt ``` -------------------------------- ### API Example Calls Source: https://github.com/frknaykc/dragonseye-ransomwaretracker/blob/main/README.md Demonstrates how to interact with the Dragons Eye API using `curl`. Examples include fetching victims, retrieving statistics, triggering updates, and checking system status. ```bash # Get latest 10 victims curl "http://localhost:8000/api/v1/victims?limit=10&sort=desc" # Get statistics curl "http://localhost:8000/api/v1/stats/summary" # Trigger manual update curl -X POST "http://localhost:8000/api/v1/update/trigger" # Check status curl "http://localhost:8000/api/v1/status" ``` -------------------------------- ### Start Tor Service for .onion Access Source: https://github.com/frknaykc/dragonseye-ransomwaretracker/blob/main/README.md Instructions for starting the Tor service, which is essential for accessing .onion websites used by ransomware groups. ```bash # macOS: brew services start tor # Linux: sudo systemctl start tor ``` -------------------------------- ### Start Dragons Eye API Server Source: https://github.com/frknaykc/dragonseye-ransomwaretracker/blob/main/README.md This snippet shows the command to start the FastAPI-based API server for Dragons Eye, enabling RESTful access to the collected data. ```bash python3 api/main.py ``` -------------------------------- ### Configure Nginx for HTTPS and Reverse Proxy Source: https://github.com/frknaykc/dragonseye-ransomwaretracker/blob/main/SECURITY.md Example Nginx configuration to serve the application over HTTPS, set up SSL certificates, and configure reverse proxying for both API and frontend. It includes essential security headers like Strict-Transport-Security and X-Frame-Options. ```nginx server { listen 443 ssl http2; server_name yourdomain.com; ssl_certificate /path/to/cert.pem; ssl_certificate_key /path/to/key.pem; # Security headers add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header X-Content-Type-Options "nosniff" always; add_header X-Frame-Options "DENY" always; # API location /api/ { proxy_pass http://127.0.0.1:8000; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } # Frontend location / { proxy_pass http://127.0.0.1:3000; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; } } ``` -------------------------------- ### Install Playwright Browsers Source: https://github.com/frknaykc/dragonseye-ransomwaretracker/blob/main/README.md Installs the Playwright browser binaries required for web scraping. It specifically installs Firefox and Chromium, which are commonly used by the scraping engine. ```bash playwright install firefox chromium ``` -------------------------------- ### Configure Environment Variables Source: https://github.com/frknaykc/dragonseye-ransomwaretracker/blob/main/README.md Copies the example environment file and prompts the user to edit it with their specific settings. This includes paths, Tor configuration, and optional AI enrichment API keys. ```bash cp env.example .env nano .env ``` -------------------------------- ### Start API and Frontend Source: https://github.com/frknaykc/dragonseye-ransomwaretracker/blob/main/README.md Launches the FastAPI backend API and the frontend development server. The API includes an auto-scheduler for data updates. The frontend runs on port 3000 and the API on port 8000. ```bash # Terminal 1: Start API (includes auto-scheduler) python3 api/main.py # Terminal 2: Start Frontend cd frontend && npm run dev ``` -------------------------------- ### Database Backup Script Source: https://github.com/frknaykc/dragonseye-ransomwaretracker/blob/main/SECURITY.md A simple bash command to create a timestamped backup of the database directory. This should be run regularly to ensure data recovery capabilities. ```bash cp -r db/ backups/db_$(date +%Y%m%d)/ ``` -------------------------------- ### Adding a New Parser Source: https://github.com/frknaykc/dragonseye-ransomwaretracker/blob/main/README.md Example Python code for adding a new parser for a ransomware group. It utilizes `BeautifulSoup` for HTML parsing and custom logging/appending utilities. ```python from shared_utils import stdlog, errlog, appender from bs4 import BeautifulSoup def parse(html_content, group_name, location): soup = BeautifulSoup(html_content, 'html.parser') for victim in soup.find_all('div', class_='victim'): name = victim.find('h2').text.strip() appender( victim=name, group_name=group_name, description='', website='', post_url=location['slug'] ) ``` -------------------------------- ### Configure Production Environment Variables (.env) Source: https://github.com/frknaykc/dragonseye-ransomwaretracker/blob/main/SECURITY.md Sets up essential environment variables for production deployment, including admin credentials, allowed origins for CORS, and the application port. It emphasizes changing default credentials and restricting CORS to specific domains for security. ```bash # Environment ENVIRONMENT=production # Admin credentials (CHANGE THESE!) # Generate hash: python -c "import hashlib; print(hashlib.sha256('YourSecurePassword123!'.encode()).hexdigest())" ADMIN_USERNAME=your_admin_username ADMIN_PASSWORD_HASH=your_sha256_password_hash # CORS - Your actual domains only ALLOWED_ORIGINS=https://yourdomain.com,https://www.yourdomain.com # Port PORT=8000 ``` -------------------------------- ### Export Victim Data using jq Source: https://github.com/frknaykc/dragonseye-ransomwaretracker/blob/main/README.md An example of exporting victim data, specifically filtering for victims belonging to the 'lockbit3' group, using the `jq` command-line JSON processor. ```bash cat db/victims.json | jq '.[] | select(.group_name=="lockbit3")' ``` -------------------------------- ### Configure UFW Firewall for Production Source: https://github.com/frknaykc/dragonseye-ransomwaretracker/blob/main/SECURITY.md Sets up Uncomplicated Firewall (UFW) rules to secure the production server. It denies all incoming traffic by default, allows outgoing traffic, and explicitly permits SSH, HTTP (port 80), and HTTPS (port 443). ```bash # UFW example sudo ufw default deny incoming sudo ufw default allow outgoing sudo ufw allow ssh sudo ufw allow 80/tcp sudo ufw allow 443/tcp sudo ufw enable ``` -------------------------------- ### Get Summary Statistics (Bash) Source: https://context7.com/frknaykc/dragonseye-ransomwaretracker/llms.txt Retrieves overall statistics for the ransomware tracker, including total victims, active groups, and top-performing groups. This provides a high-level overview of the threat landscape. ```bash # Get summary statistics curl "http://localhost:8000/api/v1/stats/summary" ``` -------------------------------- ### Get Victims for a Specific Group (Bash) Source: https://context7.com/frknaykc/dragonseye-ransomwaretracker/llms.txt Retrieves a list of victims associated with a specific ransomware group. This endpoint supports pagination to manage large datasets. ```bash # Get all victims for a specific group curl "http://localhost:8000/api/v1/groups/lockbit3/victims?page=1&limit=25" ``` -------------------------------- ### Generate SHA256 Admin Password Hash (Python) Source: https://github.com/frknaykc/dragonseye-ransomwaretracker/blob/main/SECURITY.md A Python one-liner to generate a SHA256 hash for the admin password. This hash should be used in the `ADMIN_PASSWORD_HASH` environment variable for secure authentication. ```python import hashlib print(hashlib.sha256('YourSecurePassword123!'.encode()).hexdigest()) ``` -------------------------------- ### Get System Status (Bash) Source: https://context7.com/frknaykc/dragonseye-ransomwaretracker/llms.txt Retrieves the current status of the ransomware tracker system, including data freshness, update progress, and scheduler information. This endpoint is crucial for monitoring the health and operational status of the tracker. ```bash # Get system status curl "http://localhost:8000/api/v1/status" ``` -------------------------------- ### React/Next.js API Client for Dragons Eye Source: https://context7.com/frknaykc/dragonseye-ransomwaretracker/llms.txt Example of integrating with the Dragons Eye API from a React/Next.js frontend. It includes functions to fetch victims, statistics, and groups, along with a basic React component for displaying victims. Requires NEXT_PUBLIC_API_URL environment variable. ```typescript // lib/api.ts const API_BASE = process.env.NEXT_PUBLIC_API_URL || 'http://localhost:8000'; interface Victim { post_title: string; group_name: string; discovered: string; country: string; activity: string; website: string; description: string; } interface VictimsResponse { total: number; page: number; limit: number; pages: number; data: Victim[]; } // Fetch victims with filters export async function getVictims(params: { page?: number; limit?: number; group?: string; country?: string; search?: string; }): Promise { const searchParams = new URLSearchParams(); if (params.page) searchParams.set('page', params.page.toString()); if (params.limit) searchParams.set('limit', params.limit.toString()); if (params.group) searchParams.set('group', params.group); if (params.country) searchParams.set('country', params.country); if (params.search) searchParams.set('search', params.search); const response = await fetch(`${API_BASE}/api/v1/victims?${searchParams}`); if (!response.ok) throw new Error('Failed to fetch victims'); return response.json(); } // Fetch statistics export async function getStats() { const response = await fetch(`${API_BASE}/api/v1/stats/summary`); if (!response.ok) throw new Error('Failed to fetch stats'); return response.json(); } // Fetch groups export async function getGroups(activeOnly = false) { const params = activeOnly ? '?active_only=true' : ''; const response = await fetch(`${API_BASE}/api/v1/groups${params}`); if (!response.ok) throw new Error('Failed to fetch groups'); return response.json(); } // Usage in React component export default function VictimsList() { const [victims, setVictims] = useState([]); const [loading, setLoading] = useState(true); useEffect(() => { getVictims({ page: 1, limit: 25 }) .then(data => setVictims(data.data)) .finally(() => setLoading(false)); }, []); return (
{victims.map(victim => (

{victim.post_title}

Group: {victim.group_name}

Country: {victim.country}

))}
); } ``` -------------------------------- ### Get Victim Statistics by Country (Bash) Source: https://context7.com/frknaykc/dragonseye-ransomwaretracker/llms.txt Retrieves the distribution of ransomware victims across different countries, including the count and percentage for each. This helps in understanding the geographical impact of ransomware attacks. ```bash # Get country statistics curl "http://localhost:8000/api/v1/stats/countries?limit=20" ``` -------------------------------- ### Get RSS Feeds (API) Source: https://context7.com/frknaykc/dragonseye-ransomwaretracker/llms.txt API endpoints to subscribe to RSS feeds for real-time updates on new victims and group activity. Supports fetching victims feed with a limit and groups activity feed. These are GET requests to the /api/v1/rss/* endpoints. ```bash # Get victims RSS feed curl "http://localhost:8000/api/v1/rss/victims?limit=50" # Get groups activity RSS feed curl "http://localhost:8000/api/v1/rss/groups" ``` -------------------------------- ### Secure Database Files (chmod) Source: https://github.com/frknaykc/dragonseye-ransomwaretracker/blob/main/SECURITY.md Applies restrictive file permissions to database JSON files, setting them to read/write only for the owner. This is part of securing the `db/` directory, which should be kept outside the web root. ```bash chmod 600 db/*.json ``` -------------------------------- ### Get Update Logs API Source: https://context7.com/frknaykc/dragonseye-ransomwaretracker/llms.txt Retrieves recent logs related to the data update process. ```APIDOC ## GET /api/v1/update/logs ### Description Retrieves update logs, allowing filtering by the number of lines. ### Method GET ### Endpoint `/api/v1/update/logs` ### Parameters #### Query Parameters - **lines** (integer) - Optional - The number of recent log lines to retrieve. Defaults to a reasonable amount if not specified. ### Response #### Success Response (200) - **log_file** (string) - The path to the log file. - **total_lines** (integer) - The total number of lines in the log file. - **showing_lines** (integer) - The number of lines actually returned. - **logs** (string) - The content of the log lines. #### Response Example { "log_file": "/app/logs/update_20240115_080000.log", "total_lines": 1500, "showing_lines": 100, "logs": "[SCRAPE] Starting scrape.py -V ...\n[08:00:15] lockbit3 OK (78KB)..." } ``` -------------------------------- ### Get Victim Statistics by Sector (Bash) Source: https://context7.com/frknaykc/dragonseye-ransomwaretracker/llms.txt Retrieves the distribution of ransomware victims across various industry sectors, including counts and percentages. This is useful for identifying which industries are most targeted by ransomware operations. ```bash # Get sector statistics curl "http://localhost:8000/api/v1/stats/sectors?limit=15" ``` -------------------------------- ### Get Update Logs (Bash) Source: https://context7.com/frknaykc/dragonseye-ransomwaretracker/llms.txt Retrieves logs related to the data update process. This endpoint allows specifying the number of lines to retrieve, which is helpful for debugging or reviewing recent update activities. ```bash # Get update logs curl "http://localhost:8000/api/v1/update/logs?lines=100" ``` -------------------------------- ### Get Attack Trend Data (Bash) Source: https://context7.com/frknaykc/dragonseye-ransomwaretracker/llms.txt Retrieves daily victim counts over a specified period to analyze attack trends. This endpoint allows for flexibility in defining the trend analysis window. ```bash # Get 30-day trend data curl "http://localhost:8000/api/v1/stats/trend?days=30" # Get 90-day trend data curl "http://localhost:8000/api/v1/stats/trend?days=90" ``` -------------------------------- ### Get Ransomware Group Details Source: https://context7.com/frknaykc/dragonseye-ransomwaretracker/llms.txt This endpoint provides comprehensive details for a specific ransomware group, identified by its name. It includes the group's name, victim count, activity status, location statistics, a descriptive meta field, a detailed description, and information about whether a parser exists for the group, along with a URL for its logo. ```bash # Get detailed group info curl "http://localhost:8000/api/v1/groups/lockbit3" ``` -------------------------------- ### Query Decryptors (API) Source: https://context7.com/frknaykc/dragonseye-ransomwaretracker/llms.txt API endpoints for querying available ransomware decryption tools. Supports listing all decryptors, filtering by status or group, and retrieving details for a specific decryptor. These are GET requests to the /api/v1/decryptors endpoint with optional query parameters. ```bash # List all decryptors curl "http://localhost:8000/api/v1/decryptors" # Filter by status curl "http://localhost:8000/api/v1/decryptors?status=active" # Filter by group curl "http://localhost:8000/api/v1/decryptors?group=gandcrab" # Get specific decryptor curl "http://localhost:8000/api/v1/decryptors/abc123" ``` -------------------------------- ### Get Specific Victim by Index Source: https://context7.com/frknaykc/dragonseye-ransomwaretracker/llms.txt This endpoint retrieves detailed information for a single victim record using its unique index. The response includes comprehensive details such as the victim's name, the ransomware group responsible, discovery date, country, industry, website, and a description of the leaked data. ```bash # Get victim by index curl "http://localhost:8000/api/v1/victims/0" # Response: { "post_title": "Example Corp", "group_name": "lockbit3", "discovered": "2024-01-15 08:30:00.000000", "country": "US", "activity": "Technology", "website": "example.com", "description": "Data leak includes financial records and customer data", "published": "2024-01-14 12:00:00.000000", "post_url": "http://lockbit...onion/post/example", "duplicates": [], "extrainfos": [], "_index": 0 } ``` -------------------------------- ### Run Dragons Eye CLI Scraping Commands Source: https://github.com/frknaykc/dragonseye-ransomwaretracker/blob/main/README.md Demonstrates how to use the Dragons Eye CLI to scrape ransomware group data, either for all groups or specific ones. ```bash # Scrape all groups python3 bin/scrape.py --all # Scrape specific group python3 bin/scrape.py --group lockbit3 ``` -------------------------------- ### Get all victims for a specific group Source: https://context7.com/frknaykc/dragonseye-ransomwaretracker/llms.txt Retrieves a list of victims associated with a particular ransomware group, with pagination support. ```APIDOC ## GET /api/v1/groups/{group_id}/victims ### Description Retrieves a list of victims for a specified ransomware group. Supports pagination. ### Method GET ### Endpoint `/api/v1/groups/{group_id}/victims` ### Parameters #### Query Parameters - **page** (integer) - Optional - The page number for pagination. - **limit** (integer) - Optional - The number of victims to return per page. ### Response #### Success Response (200) - **victims** (array) - A list of victim objects. - **post_title** (string) - The title of the victim post. - **discovered** (string) - The date and time the victim was discovered. - **country** (string) - The country of the victim. #### Response Example { "victims": [ { "post_title": "Recent Victim Corp", "discovered": "2024-01-15 08:30:00.000000", "country": "US" } ] } ``` -------------------------------- ### Export Group Data (API) Source: https://context7.com/frknaykc/dragonseye-ransomwaretracker/llms.txt API endpoint for exporting group data in CSV format. This is a GET request to the /api/v1/export/groups/csv endpoint. ```bash # Export groups as CSV curl "http://localhost:8000/api/v1/export/groups/csv" -o groups.csv ``` -------------------------------- ### Run Dragons Eye CLI Parsing and Status Commands Source: https://github.com/frknaykc/dragonseye-ransomwaretracker/blob/main/README.md Shows how to parse scraped data, check the system status, and perform a full update (scrape and parse) using the Dragons Eye CLI. ```bash # Parse scraped data python3 bin/parse.py --all # Check system status python3 bin/status.py # Full update (scrape + parse) python3 bin/scrape.py --all && python3 bin/parse.py --all ``` -------------------------------- ### Scheduler Configuration Source: https://github.com/frknaykc/dragonseye-ransomwaretracker/blob/main/README.md Configuration settings for the auto-update system in `api/main.py`. This includes defining the update interval in minutes and a flag to run the update on startup. ```python UPDATE_INTERVAL_MINUTES = 30 # Update every 30 minutes RUN_ON_STARTUP = True # Run update immediately on startup ``` -------------------------------- ### System and Update API Source: https://github.com/frknaykc/dragonseye-ransomwaretracker/blob/main/README.md Endpoints for checking system status and triggering updates. ```APIDOC ## GET /status ### Description Retrieves the current status of the system. ### Method GET ### Endpoint `/api/v1/status` ### Response #### Success Response (200) - **status** (string) - The current system status (e.g., 'Operational', 'Updating'). #### Response Example ```json { "status": "Operational" } ``` ## POST /update/trigger ### Description Manually triggers a system update process. ### Method POST ### Endpoint `/api/v1/update/trigger` ### Response #### Success Response (200) - **message** (string) - Confirmation that the update has been triggered. #### Response Example ```json { "message": "Manual update triggered successfully." } ``` ``` -------------------------------- ### Utilize Shared Utilities for Ransomware Tracking Source: https://context7.com/frknaykc/dragonseye-ransomwaretracker/llms.txt The `shared_utils.py` module provides essential functions for ransomware tracking, including logging, appending victim data to the database, and AI-powered post enrichment. These utilities streamline common tasks for parser development and data processing. ```python from shared_utils import stdlog, errlog, appender, enrich_post # Logging stdlog("Processing victim data...") # Info log errlog("Failed to parse HTML") # Error log # Append victim to database appender( post_title="Victim Corp", group_name="lockbit3", description="Financial data leaked", website="victim.com", published="2024-01-15 10:00:00.000000", post_url="http://lockbit...onion/post/victim", country="US" ) # AI enrichment using OpenAI or LM Studio enriched = enrich_post( title="Victim Corp", description="Financial and customer data" ) # Returns: # { # "company_name": "Victim Corporation", # "country": "United States", # "sector": ["Finance", "Technology"], # } ``` -------------------------------- ### Scrape Command (CLI Tool) Source: https://context7.com/frknaykc/dragonseye-ransomwaretracker/llms.txt Command-line interface tool for scraping ransomware leak sites via Tor. Supports scraping all enabled groups, verbose output, specific groups, and forcing a scrape. Uses Python 3 and is located in the `bin/` directory. ```bash # Scrape all enabled groups python3 bin/scrape.py --all # Scrape with verbose output python3 bin/scrape.py -V # Scrape specific group python3 bin/scrape.py --group lockbit3 -V # Force scrape (bypass enabled flag) python3 bin/scrape.py -B -V ``` -------------------------------- ### Create Ransom Note (Admin API) Source: https://context7.com/frknaykc/dragonseye-ransomwaretracker/llms.txt API endpoint for administrators to create new ransom notes. Requires group name, note title, content, filename, and file extensions. This is a POST request to the /api/v1/ransom-notes endpoint. ```bash curl -X POST "http://localhost:8000/api/v1/ransom-notes" \ -d "group_name=newgroup" \ -d "note_title=New Ransom Note" \ -d "note_content=Your files have been encrypted" \ -d "filename=readme.txt" \ -d "file_extensions=.enc,.locked" ``` -------------------------------- ### Monitor System Status Source: https://context7.com/frknaykc/dragonseye-ransomwaretracker/llms.txt The status command monitors system health, including API status, data freshness, and scraping statistics. It can perform a quick check, provide verbose output with recent victims, or run in live watch mode for real-time updates. ```bash # Quick status check python3 bin/status.py # Verbose status with recent victims python3 bin/status.py -v # Live monitoring (refreshes every 10s) python3 bin/status.py --watch ``` -------------------------------- ### Search Victims by Content Source: https://context7.com/frknaykc/dragonseye-ransomwaretracker/llms.txt This endpoint allows searching for victim records based on keywords found in their name, website, or description. It returns a list of matching victims along with their basic details and the total count of results. ```bash # Search victims curl "http://localhost:8000/api/v1/victims/search/healthcare?limit=50" # Response: { "total": 42, "data": [ { "post_title": "Healthcare Provider Inc", "group_name": "alphv", "discovered": "2024-01-14 15:20:00.000000", "country": "DE", "activity": "Healthcare" } ] } ``` -------------------------------- ### Create Custom Ransomware Group Parser Source: https://context7.com/frknaykc/dragonseye-ransomwaretracker/llms.txt This Python script serves as a template for creating custom parsers for new ransomware groups. It uses BeautifulSoup to parse HTML content and extracts victim information such as title, description, and publication date. The extracted data is then appended to a victims database. ```python # bin/_parsers/newgroup.py """ Parser template for new ransomware group """ import os from bs4 import BeautifulSoup from pathlib import Path from dotenv import load_dotenv from shared_utils import find_slug_by_md5, appender, extract_md5_from_filename, errlog, stdlog env_path = Path("../.env") load_dotenv(dotenv_path=env_path) home = os.getenv("DRAGONS_HOME") tmp_dir = Path(home + os.getenv("TMP_DIR")) def main(): """Main parser function called by parse.py""" for filename in os.listdir(tmp_dir): try: if filename.startswith('newgroup-'): html_doc = tmp_dir / filename stdlog(f'Processing {filename}') with open(html_doc, 'r') as file: soup = BeautifulSoup(file, 'html.parser') # Find victim entries (adjust selectors for target site) victims = soup.find_all('div', {"class": "victim-card"}) for victim in victims: try: # Extract victim data title = victim.find('h2', {"class": "victim-name"}).text.strip() description = victim.find('p', {"class": "description"}).text.strip() published = victim.find('span', {"class": "date"}).text.strip() # Get post URL url = find_slug_by_md5('newgroup', extract_md5_from_filename(str(html_doc))) post_url = url + victim.find('a')['href'] # Append to victims.json appender( post_title=title, group_name='newgroup', description=description.replace('\n', ' '), website='', published=published, post_url=post_url, country='' ) except Exception as e: errlog(f'newgroup - parsing fail: {str(e)}') except Exception as e: errlog(f'newgroup - file error: {str(e)}') ``` -------------------------------- ### Dragons Eye Environment Variable Configuration Source: https://context7.com/frknaykc/dragonseye-ransomwaretracker/llms.txt Configuration for the Dragons Eye platform using environment variables in a `.env` file. Covers core paths, Tor, API settings, admin authentication, and optional AI/notification services. ```bash # Copy example configuration cp env.example .env # Core paths DRAGONS_HOME=/path/to/DragonsEye-RansomwareTracker DB_DIR=/db IMAGES_DIR=/images TMP_DIR=/tmp # Tor configuration (required for .onion scraping) TOR_PROXY_SERVER=socks5://127.0.0.1:9050 # API configuration PORT=8000 ENVIRONMENT=development ALLOWED_ORIGINS=* # Admin authentication ADMIN_USERNAME=admin # Generate hash: python3 -c "import hashlib; print(hashlib.sha256('password'.encode()).hexdigest())" ADMIN_PASSWORD_HASH=5e884898da28047d9164... # Optional: AI enrichment OPENAI_API_KEY=sk-your-api-key # Or for local LM Studio: OPENAI_BASE_URL=http://localhost:1234/v1 LM_STUDIO_MODEL=local-model # Optional: Notifications TELEGRAM_BOT_TOKEN=your-bot-token TELEGRAM_CHAT_ID=your-chat-id DISCORD_WEBHOOK_URL=https://discord.com/api/webhooks/... ``` -------------------------------- ### Scrape All Groups Source: https://github.com/frknaykc/dragonseye-ransomwaretracker/blob/main/README.md Initiates the web scraping process for all configured ransomware groups. The verbose flag (-V) provides detailed output during the scraping process, showing the status of each group. ```bash cd bin python3 scrape.py -V ``` -------------------------------- ### Export Victim Data (API) Source: https://context7.com/frknaykc/dragonseye-ransomwaretracker/llms.txt API endpoints for exporting victim data in various formats including CSV, JSON, and STIX 2.1. Supports filtering by group and date range, and limiting the number of results. These are GET requests to the /api/v1/export/victims/* endpoints. ```bash # Export victims as CSV curl "http://localhost:8000/api/v1/export/victims/csv" -o victims.csv # Export with filters curl "http://localhost:8000/api/v1/export/victims/csv?group=lockbit3&days=30" -o lockbit_victims.csv # Export as JSON curl "http://localhost:8000/api/v1/export/victims/json?limit=1000" -o victims.json # Export in STIX 2.1 format for threat intelligence platforms curl "http://localhost:8000/api/v1/export/victims/stix?days=30&limit=500" -o victims_stix.json ``` -------------------------------- ### System Status API Source: https://context7.com/frknaykc/dragonseye-ransomwaretracker/llms.txt Provides information about the current status of the tracker system, including data freshness and update progress. ```APIDOC ## GET /api/v1/status ### Description Retrieves system status including data freshness and scheduler information. ### Method GET ### Endpoint `/api/v1/status` ### Response #### Success Response (200) - **data_freshness** (string) - Indicates the freshness of the data ('fresh', 'stale', etc.). - **message** (string) - A human-readable message about the data status. - **update_in_progress** (boolean) - True if a data update is currently running, false otherwise. - **victims** (object) - Status of the victim data. - **exists** (boolean) - Whether victim data exists. - **modified** (string) - Timestamp of the last modification. - **age_hours** (float) - Age of the data in hours. - **age_human** (string) - Human-readable age of the data. - **groups** (object) - Status of the group data. - **exists** (boolean) - Whether group data exists. - **modified** (string) - Timestamp of the last modification. - **age_hours** (float) - Age of the data in hours. - **age_human** (string) - Human-readable age of the data. - **scheduler** (object) - Status of the background scheduler. - **status** (string) - Current status of the scheduler ('idle', 'running', etc.). - **last_update** (string) - Timestamp of the last scheduler update. - **last_scrape** (string) - Timestamp of the last data scrape. - **last_parse** (string) - Timestamp of the last data parse. - **timestamp** (string) - Timestamp of this status report. #### Response Example { "data_freshness": "fresh", "message": "Data is up to date", "update_in_progress": false, "victims": { "exists": true, "modified": "2024-01-15T08:30:00.000000", "age_hours": 2.1, "age_human": "2h 6m" }, "groups": { "exists": true, "modified": "2024-01-15T08:30:00.000000", "age_hours": 2.1, "age_human": "2h 6m" }, "scheduler": { "status": "idle", "last_update": "2024-01-15T08:00:00.000000", "last_scrape": "2024-01-15T08:00:00.000000", "last_parse": "2024-01-15T08:25:00.000000" }, "timestamp": "2024-01-15T10:30:00.000000" } ``` -------------------------------- ### List Victims with Pagination and Filters Source: https://context7.com/frknaykc/dragonseye-ransomwaretracker/llms.txt This endpoint retrieves a list of victim records from the ransomware tracker. It supports pagination to manage large datasets, and filtering by ransomware group, country, or sector. A search parameter is also available to find victims by name. ```bash # Get latest 25 victims (default) curl "http://localhost:8000/api/v1/victims" # Get victims with pagination and filters curl "http://localhost:8000/api/v1/victims?page=1&limit=10&sort=desc" # Filter by ransomware group curl "http://localhost:8000/api/v1/victims?group=lockbit3&limit=50" # Filter by country code curl "http://localhost:8000/api/v1/victims?country=US&limit=25" # Filter by sector/industry curl "http://localhost:8000/api/v1/victims?sector=healthcare&limit=20" # Search victims by name curl "http://localhost:8000/api/v1/victims?search=acme&limit=10" # Response: { "total": 24765, "page": 1, "limit": 25, "pages": 991, "data": [ { "post_title": "Example Corp", "group_name": "lockbit3", "discovered": "2024-01-15 08:30:00.000000", "country": "US", "activity": "Technology", "website": "example.com", "description": "Data leak includes financial records...", "_index": 0 } ] } ``` -------------------------------- ### Statistics Summary API Source: https://context7.com/frknaykc/dragonseye-ransomwaretracker/llms.txt Provides a high-level overview of ransomware statistics, including total victims, active groups, and recent activity. ```APIDOC ## GET /api/v1/stats/summary ### Description Retrieves dashboard statistics including total victims, groups, and daily counts. ### Method GET ### Endpoint `/api/v1/stats/summary` ### Response #### Success Response (200) - **total_victims** (integer) - Total number of victims tracked. - **total_groups** (integer) - Total number of ransomware groups tracked. - **active_groups** (integer) - Number of currently active ransomware groups. - **countries_affected** (integer) - Number of unique countries affected. - **today_new** (integer) - Number of new victims reported today. - **top_group** (string) - The name of the ransomware group with the most victims. - **top_group_count** (integer) - The victim count for the top group. #### Response Example { "total_victims": 24765, "total_groups": 306, "active_groups": 71, "countries_affected": 142, "today_new": 15, "top_group": "lockbit3", "top_group_count": 2150 } ``` -------------------------------- ### Negotiations API Source: https://context7.com/frknaykc/dragonseye-ransomwaretracker/llms.txt Access ransomware negotiation chat logs for research purposes. ```APIDOC ## GET /api/v1/negotiations ### Description Retrieves ransomware negotiation chat logs. ### Method GET ### Endpoint /api/v1/negotiations ### Response #### Success Response (200) - **total_groups** (integer) - The total number of unique ransomware groups represented in the logs. - **total_chats** (integer) - The total number of chat logs available. - **paid_count** (integer) - The number of chats where payment was confirmed. - **chats** (array) - An array of negotiation chat objects. - **group** (string) - The name of the ransomware group. - **chatId** (string) - Unique identifier for the chat log. - **messages** (integer) - The total number of messages in the chat. - **initialRansom** (integer) - The initial ransom demand amount. - **negotiatedRansom** (integer) - The final negotiated ransom amount. - **paid** (boolean) - Indicates if the ransom was paid. - **link** (string) - URL to the full chat log content. #### Response Example { "total_groups": 15, "total_chats": 234, "paid_count": 89, "chats": [ { "group": "conti", "chatId": "chat_001", "messages": 45, "initialRansom": 500000, "negotiatedRansom": 125000, "paid": true, "link": "https://raw.githubusercontent.com/Casualtek/Ransomchats/main/conti/chat_001.json" } ] } ``` -------------------------------- ### Decryptors, Ransom Notes, and Negotiations API Source: https://github.com/frknaykc/dragonseye-ransomwaretracker/blob/main/README.md Endpoints for accessing information on decryptors, ransom notes, and negotiation chats. ```APIDOC ## GET /decryptors ### Description Lists available decryptors. ### Method GET ### Endpoint `/api/v1/decryptors` ### Response #### Success Response (200) - **decryptors** (array) - List of decryptor information. #### Response Example ```json { "decryptors": [ { "name": "ExampleDecryptor", "version": "1.0" } ] } ``` ## GET /ransom-notes ### Description Lists collected ransom notes. ### Method GET ### Endpoint `/api/v1/ransom-notes` ### Response #### Success Response (200) - **ransom_notes** (array) - List of ransom note details. #### Response Example ```json { "ransom_notes": [ { "id": "note_id_1", "filename": "note.txt" } ] } ``` ## GET /negotiations ### Description Lists negotiation chats. ### Method GET ### Endpoint `/api/v1/negotiations` ### Response #### Success Response (200) - **negotiations** (array) - List of negotiation chat logs. #### Response Example ```json { "negotiations": [ { "id": "chat_id_1", "date": "2023-10-27T11:00:00Z" } ] } ``` ``` -------------------------------- ### Trigger Manual Update API Source: https://context7.com/frknaykc/dragonseye-ransomwaretracker/llms.txt Initiates a manual data update process (scraping and parsing) in the background. ```APIDOC ## POST /api/v1/update/trigger ### Description Triggers a background data update (scrape + parse) manually. ### Method POST ### Endpoint `/api/v1/update/trigger` ### Response #### Success Response (200) - **success** (boolean) - Indicates if the update trigger was successful. - **message** (string) - A message confirming the update process has started. - **status** (string) - The current status of the update ('started'). - **note** (string) - Instructions on how to check the update progress. #### Response Example { "success": true, "message": "Update started in background", "status": "started", "note": "Check /api/v1/status for progress" } ``` -------------------------------- ### Manage Ransom Notes (Bash) Source: https://context7.com/frknaykc/dragonseye-ransomwaretracker/llms.txt Provides endpoints for listing, filtering, and retrieving individual ransom notes collected from various ransomware groups. This functionality allows for detailed analysis of ransom note content. ```bash # List all ransom notes curl "http://localhost:8000/api/v1/ransom-notes" # Filter by group curl "http://localhost:8000/api/v1/ransom-notes?group=lockbit3" # Get specific ransom note curl "http://localhost:8000/api/v1/ransom-notes/lockbit3-1" ``` -------------------------------- ### Access Negotiations (API) Source: https://context7.com/frknaykc/dragonseye-ransomwaretracker/llms.txt API endpoint to access ransomware negotiation chat logs. This endpoint retrieves a summary of negotiation data, including total groups, chats, paid counts, and details of individual chats like group, messages, ransom amounts, and payment status. ```bash # Get all negotiations curl "http://localhost:8000/api/v1/negotiations" ``` -------------------------------- ### Parse All Groups Source: https://github.com/frknaykc/dragonseye-ransomwaretracker/blob/main/README.md Orchestrates the data parsing process for all ransomware groups. This script processes the scraped HTML files and extracts relevant information into the database. ```bash cd bin python3 parse.py ``` -------------------------------- ### Trigger Manual Data Update (Bash) Source: https://context7.com/frknaykc/dragonseye-ransomwaretracker/llms.txt Manually triggers a background data update process, which includes scraping and parsing. This is useful for forcing a refresh of the data outside of the regular schedule. The status can be monitored via the `/api/v1/status` endpoint. ```bash # Trigger update curl -X POST "http://localhost:8000/api/v1/update/trigger" ``` -------------------------------- ### Statistics by Sector API Source: https://context7.com/frknaykc/dragonseye-ransomwaretracker/llms.txt Provides victim distribution data categorized by industry sector. ```APIDOC ## GET /api/v1/stats/sectors ### Description Retrieves victim distribution by industry sector. ### Method GET ### Endpoint `/api/v1/stats/sectors` ### Parameters #### Query Parameters - **limit** (integer) - Optional - The maximum number of sectors to return. ### Response #### Success Response (200) - **total** (integer) - Total number of victims. - **data** (array) - An array of sector statistics objects. - **sector** (string) - The name of the industry sector. - **count** (integer) - The number of victims in this sector. - **percentage** (float) - The percentage of total victims in this sector. #### Response Example { "total": 24765, "data": [ {"sector": "Technology", "count": 4200, "percentage": 16.96}, {"sector": "Healthcare", "count": 3100, "percentage": 12.52}, {"sector": "Finance", "count": 2800, "percentage": 11.31} ] } ``` -------------------------------- ### Statistics API Source: https://github.com/frknaykc/dragonseye-ransomwaretracker/blob/main/README.md Endpoints for retrieving various statistics and trends. ```APIDOC ## GET /stats/summary ### Description Provides an overall summary of statistics. ### Method GET ### Endpoint `/api/v1/stats/summary` ### Response #### Success Response (200) - **summary** (object) - Contains aggregated statistics. #### Response Example ```json { "summary": { "total_victims": 1000, "total_groups": 50, "active_campaigns": 10 } } ``` ## GET /stats/countries ### Description Returns a breakdown of victims by country. ### Method GET ### Endpoint `/api/v1/stats/countries` ### Response #### Success Response (200) - **countries** (array) - List of countries with victim counts. #### Response Example ```json { "countries": [ { "country": "USA", "victims": 300 }, { "country": "Germany", "victims": 150 } ] } ``` ## GET /stats/sectors ### Description Returns a breakdown of victims by industry sector. ### Method GET ### Endpoint `/api/v1/stats/sectors` ### Response #### Success Response (200) - **sectors** (array) - List of sectors with victim counts. #### Response Example ```json { "sectors": [ { "sector": "Technology", "victims": 200 }, { "sector": "Healthcare", "victims": 180 } ] } ``` ## GET /stats/trend ### Description Shows the attack trend over the last 30 days. ### Method GET ### Endpoint `/api/v1/stats/trend` ### Response #### Success Response (200) - **trend** (array) - List of daily victim counts for the last 30 days. #### Response Example ```json { "trend": [ { "date": "2023-10-26", "victims": 15 }, { "date": "2023-10-27", "victims": 20 } ] } ``` ``` -------------------------------- ### Ransom Notes API Source: https://context7.com/frknaykc/dragonseye-ransomwaretracker/llms.txt Manage and retrieve ransomware notes. Supports creating new notes and fetching existing ones. ```APIDOC ## GET /api/v1/ransom-notes ### Description Retrieves a list of ransom notes with pagination. ### Method GET ### Endpoint /api/v1/ransom-notes ### Query Parameters - **page** (integer) - Optional - The page number for pagination. - **limit** (integer) - Optional - The number of items per page. ### Response #### Success Response (200) - **total** (integer) - The total number of ransom notes. - **data** (array) - An array of ransom note objects. - **id** (string) - Unique identifier for the note. - **group_name** (string) - The name of the ransomware group. - **note_title** (string) - The title of the ransom note. - **note_content** (string) - The content of the ransom note. - **filename** (string) - The original filename of the note. - **file_extensions** (array of strings) - List of file extensions associated with this ransomware. - **created_at** (string) - Timestamp when the note was created. #### Response Example { "total": 156, "data": [ { "id": "lockbit3-1", "group_name": "lockbit3", "note_title": "LockBit 3.0 Ransom Note", "note_content": "Your files have been encrypted...", "filename": "readme.txt", "file_extensions": [".lockbit", ".lb3"], "created_at": "2024-01-01T00:00:00.000000" } ] } ## POST /api/v1/ransom-notes ### Description Creates a new ransom note. This endpoint is typically for administrative use. ### Method POST ### Endpoint /api/v1/ransom-notes ### Parameters #### Request Body - **group_name** (string) - Required - The name of the ransomware group. - **note_title** (string) - Required - The title of the ransom note. - **note_content** (string) - Required - The content of the ransom note. - **filename** (string) - Required - The filename for the note. - **file_extensions** (string) - Required - Comma-separated list of file extensions. ### Request Example ``` curl -X POST "http://localhost:8000/api/v1/ransom-notes" \ -d "group_name=newgroup" \ -d "note_title=New Ransom Note" \ -d "note_content=Your files have been encrypted" \ -d "filename=readme.txt" \ -d "file_extensions=.enc,.locked" ``` ``` -------------------------------- ### Check System Status Source: https://github.com/frknaykc/dragonseye-ransomwaretracker/blob/main/README.md Provides a snapshot of the DragonsEye system's health, including API status, data freshness, database statistics, and the number of HTML files processed. The verbose and watch flags offer more detailed or live monitoring. ```bash # Quick status python3 bin/status.py # Verbose status (with recent victims) python3 bin/status.py -v # Live monitoring (refreshes every 10s) python3 bin/status.py --watch ```