User Guide

Synapse-RansomLook User Guide

Synapse-RansomLook adds new Storm commands to allow you to query the RansomLook API. The RansomLook API does not require an API key.

Getting Started

Check with your Admin to enable permissions.

Examples

Ingest threat group information

> [ ou:name=ransomexx ] | ransomlook.group --yield --skip-fileparser
media:news=f58b32ce2b59a7d25b0017b6d22ee617
        .created = 2024/11/19 21:26:46.676
        :published = 2024/11/19 21:26:46.396
        :publisher:name = ransomlook
        :summary = RansomExx is a ransomware family that targeted multiple companies starting in mid-2020. It shares commonalities with Defray777.
        :title = ransomexx
        :url = https://www.ransomlook.io/group/ransomexx
        :url:fqdn = www.ransomlook.io

Pivot to the captured screenshots.

> media:news:title=ransomexx -(refs)> it:exec:url
it:exec:url=755a544b09e53ee713829deffd92e444
        .created = 2024/11/19 21:26:47.755
        :page:html = sha256:66aae96648e855804e61072ee28ac8e697e1e138fb77e317fd4b91d9bfba95ea
        :page:image = sha256:51b9e63d64e6aa3fee8f8078ba89202897e49e52c00ba08a81a6c002b9c05d65
        :time = 2024/06/20 17:06:18.502
        :url = http://rnsm777cdsjrsdlbs4v5qoeppu3px6sb2igmh53jzrx7ipcrbjz5b2ad.onion/
it:exec:url=a464b2ef2042dc83ce3c5116c3842c04
        .created = 2024/11/19 21:26:47.908
        :page:html = sha256:88682d87703951484058d02349aeea08775c18584d76a2a802888ae13a272b26
        :page:image = sha256:674ef051d5abc4bced3d05c4241419acd43a6e3b87ae1ad047b75682e0e4587c
        :time = 2024/06/20 17:06:03.508
        :url = http://zubllg7o774lgc4rdxmfcfpjewfkqa7ml7gxwl5fetogc7hbkvaprhid.onion/

Pivot to posts associated with the threat group.

> risk:threat:org:name=ransomexx +:reporter:name=ransomlook -> syn:tag -> risk:extortion limit 1
risk:extortion=a13ea6f76007b101d6541a8f227a3b5a
        .created = 2024/11/19 21:26:56.005
        .seen = ('2021/09/09 23:46:57.385', '2021/09/09 23:46:57.386')
        :desc = Gigabyte Technology is a Taiwanese manufacturer and distributor of computer hardware. Gigabyte's principal business is motherboards.
        :name = gigabyte technology
        :reporter = ebc9a8089967f67296b974d3b4905f2b
        :reporter:name = ransomlook
        #rep.ransomlook.ransomexx

Use of meta:source nodes

Synapse-RansomLook uses a meta:source node and -(seen)> light weight edges to track nodes observed from the RansomLook API.

> meta:source=af0021ad20e39d8cdf5a860d6f113004
meta:source=af0021ad20e39d8cdf5a860d6f113004
        .created = 2024/11/19 21:26:46.395
        :name = ransomlook api

Storm can be used to filter nodes to include/exclude nodes which have been observed by Synapse-RansomLook. The following example shows how to filter the results of a query to include only results observed by Synapse-RansomLook:

> inet:url:fqdn=www.trendmicro.com +{ <(seen)- meta:source=af0021ad20e39d8cdf5a860d6f113004 }
inet:url=https://www.trendmicro.com/en_us/research/21/a/expanding-range-and-improving-speed-a-ransomexx-approach.html
        .created = 2024/11/19 21:26:47.547
        :base = https://www.trendmicro.com/en_us/research/21/a/expanding-range-and-improving-speed-a-ransomexx-approach.html
        :fqdn = www.trendmicro.com
        :params =
        :path = /en_us/research/21/a/expanding-range-and-improving-speed-a-ransomexx-approach.html
        :port = 443
        :proto = https
inet:url=https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx
        .created = 2024/11/19 21:26:47.567
        :base = https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx
        :fqdn = www.trendmicro.com
        :params =
        :path = /vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx
        :port = 443
        :proto = https