Package Documentation

Storm Package: synapse-ransomlook

The following Commands are available from this package. This documentation is generated for version 0.1.1 of the package.

Storm Commands

This package implements the following Storm Commands.

ransomlook.group

Ingest a threat group from the RansomLook API.

This command will yield a media:news node representing the
RansomLook profile for the group. The following additional data
will be linked via a -(refs)> lightweight edge:
  - risk:threat for the group
  - inet:url nodes for profile links
  - inet:url and it:exec:url nodes for the screen captures (if available)
  - risk:extortion nodes for the group's posts

If the posts, represented by risk:extortion nodes, have links to a screenshot,
they will be downloaded and represented by it:exec:url nodes where the :url
property equals risk:extortion:public:url.

If Synapse-Fileparser is available, screenshots will be parsed.
This behavior can be disabled via --skip-fileparser.

Examples:

  // Ingest a threat group by name and yield the media:news node
  ou:name=avoslocker | ransomlook.group --yield

  // Pivot to posts linked to the threat group
  risk:threat:org:name=avoslocker | ransomlook.group | -(refs)> risk:extortion


Usage: ransomlook.group [options]

Options:

  --help                      : Display the command usage.
  --skip-fileparser           : Skip parsing screen captures using Synapse-Fileparser.
  --debug                     : Show verbose debug output.
  --yield                     : Yield the newly created nodes.

ransomlook.groups

Ingest all available threat groups from the RansomLook API.

This command will yield risk:threat nodes. The --full
option can be used to also download and ingest the threat group information.

Examples:

  // Ingest all threat groups, only creating risk:threat nodes
  ransomlook.groups --yield

  // Ingest threat groups and their associated information
  ransomlook.groups --yield --size 2 --full


Usage: ransomlook.groups [options]

Options:

  --help                      : Display the command usage.
  --skip-fileparser           : Skip parsing screen captures using Synapse-Fileparser if --full is specified.
  --full                      : Ingest the full information for each group.
  --debug                     : Show verbose debug output.
  --size <size>               : Limit the number of results ingested to the given size.
  --yield                     : Yield the newly created nodes.

ransomlook.setup.tagprefix

Set the tag prefix used when recording RansomLook data as tags.
The default tag prefix is "rep.ransomlook" if not specified.

Any tags provided by the RansomLook API will be added within the given namespace.
For example, the item "foo" would result in "#rep.ransomlook.foo". Any
characters incompatible with tag names are replaced with "_".


Usage: ransomlook.setup.tagprefix [options] <tagname>

Options:

  --help                      : Display the command usage.

Arguments:

  <tagname>                   : The tag prefix to use.

Storm Modules

This package does not export any Storm APIs.