from anthropic-cybersecurity-skills4,245
Collect and analyze ransomware data-leak site (DLS) postings to extract victim, group, sector, and timeline intelligence for threat hunting and risk assessment.
This skill provides a reproducible workflow for safely collecting and analyzing ransomware data-leak site (DLS) information. It shows how to ingest public tracking feeds (e.g., Ransomwatch), extract structured victim and group metadata, compute group activity trends, and produce sector- and country-level risk assessments and intelligence reports. The included examples and scripts focus on safe collection practices (Tor-isolated VMs or commercial feeds) and downstream analysis in Python (pandas, plotting, counters).
Use this skill when investigating security incidents that may involve data exfiltration, when building detection rules or threat-hunting queries for ransomware activity, or when assessing sector-specific ransomware exposure for an organization or supply chain. Also useful for SOC analysts producing periodic intelligence reports.
Practical for agents and tooling that support Python script execution and network access to public feeds (Claude Code, Copilot/Codex-based runners, Cursor, Gemini CLI).
This skill guides agents through collecting and analyzing ransomware data-leak site intelligence from public feeds like Ransomwatch and ransomware.live. The SKILL.md is well-structured with solid conceptual explanations and NIST CSF mappings, and the bundled agent.py script has good error handling and clean Python code. However, the primary API endpoint (api.ransomware.live/recentvictims) returns 404 — the URL is outdated and the script is non-functional at runtime. The secondary ransomlook.io API was not tested but may also have availability issues.
Legitimate cybersecurity threat intelligence skill. The 404 on the API is likely due to endpoint migration at ransomware.live rather than a code bug — the API may have moved to a different path. Skill would benefit from updating the API URL and adding a fallback to the Ransomwatch GitHub raw JSON (which is also referenced in the SKILL.md but not in agent.py). No security concerns — all collection is from authorized public sources as the SKILL.md correctly emphasizes.
