-
Notifications
You must be signed in to change notification settings - Fork 258
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #983 from Delta-Sierra/main
add ransomlook_update script
- Loading branch information
Showing
1 changed file
with
152 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,152 @@ | ||
| import requests | ||
| import json | ||
| import time | ||
| import uuid | ||
| import re | ||
| from pathlib import Path | ||
|
|
||
| # open clusters/ransomware | ||
| ransompath = Path(__file__).parent.parent.parent / 'clusters' / 'ransomware.json' | ||
| ransomware_galaxy = ransompath.open("r") | ||
| ransom_galaxy = json.load(ransomware_galaxy) | ||
| ransomware_galaxy.close() | ||
|
|
||
| # get groups names from ransomlook | ||
| ransomlook_groups = requests.get("https://www.ransomlook.io/api/groups") | ||
| ransomlook_groups = ransomlook_groups.json() | ||
|
|
||
| # tracking updated and created clusters | ||
| updated = [] | ||
| created = [] | ||
|
|
||
| # preparing name groups exception management | ||
| # For now, only seen exceptions are groups with a known synonym in parentheses | ||
| # ex: "Eraleign (Apt73)" | ||
| exceptions = [] | ||
|
|
||
| pattern = re.compile(r'^(.*)\((.*)\)$') | ||
|
|
||
| for rlookgroup in ransomlook_groups: | ||
| match = pattern.match(rlookgroup) | ||
| if match: | ||
| # Name as registred in ransomlook, first known name, synonym | ||
| exceptions.append((rlookgroup, match.group(1).strip(), match.group(2).strip())) | ||
|
|
||
| for rlookgroup in ransomlook_groups: | ||
| # check if it is an exception | ||
| true_rlookgroup = rlookgroup | ||
| synonym = "" | ||
| if exceptions: | ||
| for exception in exceptions: | ||
| if rlookgroup.lower() == exception[0].lower(): | ||
| rlookgroup = exception[1] | ||
| synonym = exception[2] | ||
| break | ||
|
|
||
| # get data from ransomlook | ||
| ransom_data = requests.get( | ||
| "https://www.ransomlook.io/api/group/" + str(true_rlookgroup) | ||
| ).json() | ||
|
|
||
| # checking if the cluster exists | ||
| cluster_exist = False | ||
| for cluster in ransom_galaxy['values']: | ||
| if cluster['value'].lower() == rlookgroup.lower(): | ||
| cluster_exist = True | ||
| elif 'meta' in cluster: | ||
| if 'synonyms' in cluster['meta']: | ||
| for syn in cluster['meta']['synonyms']: | ||
| if syn.lower() == rlookgroup.lower(): | ||
| cluster_exist = True | ||
|
|
||
| # Updating the cluster if existing | ||
| if cluster_exist == True: | ||
| if 'description' not in cluster: | ||
| if ransom_data[0]['meta'] is not None: | ||
| cluster['description'] = ransom_data[0]['meta'] | ||
| if 'meta' not in cluster: | ||
| cluster['meta'] = {} | ||
| if 'links' not in cluster['meta']: | ||
| cluster['meta']['links'] = [] | ||
|
|
||
| if 'locations' in ransom_data[0]: | ||
| for location in ransom_data[0]['locations']: | ||
| if location['slug'] not in cluster['meta']['links']: | ||
| cluster['meta']['links'].append(location['slug']) | ||
|
|
||
| if synonym: | ||
| if 'synonyms' not in cluster['meta']: | ||
| cluster['meta']['synonyms'] = [] | ||
| cluster['meta']['synonyms'].append(synonym) | ||
|
|
||
| if 'refs' not in cluster['meta']: | ||
| cluster['meta']['refs'] = [] | ||
| if 'profile' in ransom_data[0]: | ||
| for url in ransom_data[0]['profile']: | ||
| if url not in cluster['meta']['refs']: | ||
| cluster['meta']['refs'].append(url) | ||
| url = "https://www.ransomlook.io/group/" + true_rlookgroup | ||
| if url not in cluster['meta']['refs']: | ||
| cluster['meta']['refs'].append(url) | ||
|
|
||
| if 'uuid' not in cluster: | ||
| cluster['uuid'] = str( | ||
| uuid.uuid5( | ||
| uuid.UUID('10cf658b-5d32-4c4b-bb32-61760a640372'), rlookgroup | ||
| ) | ||
| ) | ||
| break | ||
|
|
||
| if cluster_exist == True: | ||
| updated.append(str(rlookgroup)) | ||
| else: | ||
| # creating a new cluster | ||
| created.append(str(rlookgroup)) | ||
| new_cluster = {} | ||
| new_cluster['value'] = rlookgroup | ||
| if ransom_data[0]['meta'] is not None: | ||
| new_cluster['description'] = ransom_data[0]['meta'] | ||
| new_cluster['meta'] = {} | ||
|
|
||
| new_cluster['meta']["links"] = [] | ||
| if 'locations' in ransom_data[0]: | ||
| for location in ransom_data[0]['locations']: | ||
| if location['slug'] not in new_cluster['meta']['links']: | ||
| new_cluster['meta']["links"].append(location['slug']) | ||
|
|
||
| if synonym: | ||
| new_cluster['meta']['synonyms'] = [] | ||
| new_cluster['meta']['synonyms'].append(synonym) | ||
|
|
||
| new_cluster['meta']["refs"] = [] | ||
|
|
||
| url = "https://www.ransomlook.io/group/" + true_rlookgroup | ||
| if url not in new_cluster['meta']['refs']: | ||
|
|
||
| new_cluster['meta']['refs'].append(url) | ||
|
|
||
| if 'profile' in ransom_data[0]: | ||
| for url in ransom_data[0]['profile']: | ||
| if url not in new_cluster['meta']['refs']: | ||
| new_cluster['meta']["refs"].append(url) | ||
| new_cluster['uuid'] = str( | ||
| uuid.uuid5(uuid.UUID('10cf658b-5d32-4c4b-bb32-61760a640372'), rlookgroup) | ||
| ) | ||
|
|
||
| ransom_galaxy['values'].append(new_cluster) | ||
|
|
||
|
|
||
| print("\n" + str(len(updated)) + " clusters updated:") | ||
| print(updated) | ||
|
|
||
| print("\n" + str(len(created)) + " clusters created:") | ||
| print(created) | ||
|
|
||
| print("\nTotal modified :" + str(len(updated) + len(created))) | ||
|
|
||
| ransom_galaxy['version'] = ransom_galaxy['version'] + 1 | ||
|
|
||
| tojson = json.dumps(ransom_galaxy, indent=2, ensure_ascii=False) | ||
| ransomware_galaxy = ransompath.open("w+") | ||
| ransomware_galaxy.write(tojson) | ||
| ransomware_galaxy.close() |