Analyzing Ransomware Leak Site Intelligence

What it does

This skill provides a reproducible workflow to safely collect, parse, and analyze ransomware data-leak site (DLS) postings from public tracking feeds. It shows how to ingest victim posts (e.g. Ransomwatch), extract structured fields (group, sector, country, discovery date), compute group activity trends, assess sector/geographic risk, and produce an intelligence report with recommendations for SOCs and defenders. The materials include Python examples and analysis patterns for monthly trend aggregation, new-group detection, and sector-level risk scoring.

When to use it

Use this skill when investigating a security incident potentially tied to ransomware, when building detection rules informed by active actors, or when producing periodic threat intelligence reports for executive and operational stakeholders. It's intended for security analysts, threat intel teams, and SOC engineers working in isolated research environments.

What's included

• Scripts: Python ingestion and analysis examples (requests, pandas) to fetch Ransomwatch feeds and compute group/month statistics. (has_scripts: false in fetch metadata — code examples are present in the SKILL.md body.)
• References: Links and recommended feeds (Ransomwatch, DarkFeed) and safe-collection guidance for using Tor-isolated VMs or commercial feeds.
• Instructions: Step-by-step workflow: ingest feeds, analyze group trends, assess sector risk, track emerging groups, and generate an intelligence report.

Compatible agents

This skill contains procedural Python examples and defensive analysis guidance; it is compatible with agents or tooling that can run Python notebooks or scripts (security research assistants, code-capable agents like Copilot/Code models) and with human analyst workflows.