Analyzing Ransomware Leak Site Intelligence
from anthropic-cybersecurity-skills4,047
Collect and analyze ransomware data-leak site (DLS) postings to extract victim, group, sector, and timeline intelligence for threat hunting and risk assessment.
What it does
This skill provides a reproducible workflow for safely collecting and analyzing ransomware data-leak site (DLS) information. It shows how to ingest public tracking feeds (e.g., Ransomwatch), extract structured victim and group metadata, compute group activity trends, and produce sector- and country-level risk assessments and intelligence reports. The included examples and scripts focus on safe collection practices (Tor-isolated VMs or commercial feeds) and downstream analysis in Python (pandas, plotting, counters).
When to use it
Use this skill when investigating security incidents that may involve data exfiltration, when building detection rules or threat-hunting queries for ransomware activity, or when assessing sector-specific ransomware exposure for an organization or supply chain. Also useful for SOC analysts producing periodic intelligence reports.
What's included
- Scripts: Python ingestion and analysis examples that fetch Ransomwatch posts and compute monthly/group trends (has_scripts=true).
- References: Links to Ransomwatch and wider intelligence sources (has_references=true).
- Instructions: Step-by-step workflow: ingest feeds, analyze group trends, assess sector/geographic risk, track new/rebranding groups, and generate a formatted intelligence report.
Compatible agents
Practical for agents and tooling that support Python script execution and network access to public feeds (Claude Code, Copilot/Codex-based runners, Cursor, Gemini CLI).
Tags
Information
- Repository
- anthropic-cybersecurity-skills
- Stars
- 4,047
- Installs
- 0
