# RansomLook & OnionLookup Analysis Workshop

This workshop combines two powerful threat intelligence platforms for analyzing ransomware activities and dark web infrastructure. These tools provide critical insights into ransomware operations and hidden services on the Tor network.

## What is RansomLook?

RansomLook is a comprehensive ransomware tracking platform that monitors ransomware group activities across the dark web. It provides:
- **Real-time Monitoring:** Tracks posts and victims published by ransomware groups
- **Group Intelligence:** Detailed information about ransomware group operations
- **Victim Tracking:** Lists of organizations targeted by ransomware groups
- **Infrastructure Mapping:** Onion addresses and communication channels used by groups
- **Timeline Analysis:** Historical data showing ransomware group activities over time

## What is OnionLookup?

OnionLookup is a specialized service for analyzing Tor hidden services (.onion addresses). It offers:
- **Onion Address Intelligence:** Detailed information about .onion domains
- **Service Classification:** Categorization of hidden services by type and purpose
- **Historical Data:** Timeline of onion service availability and changes
- **Relationship Mapping:** Connections between different onion addresses
- **Security Assessment:** Analysis of onion service configurations and security

## Key Features

### RansomLook Capabilities:
- Recent ransomware posts and victim announcements
- Group-specific activity tracking
- Infrastructure discovery (onion addresses, communication channels)

### OnionLookup Capabilities:
- Onion address validation and analysis
- Service fingerprinting and classification
- Historical availability tracking

## Documentation

### API Documentation:
- **RansomLook API:** https://www.ransomlook.io/doc/
- **OnionLookup API:** https://onion.ail-project.org/apiman/swagger/

### Use Cases:
- **Threat Intelligence:** Monitor ransomware group activities and infrastructure
- **Incident Response:** Investigate ransomware attacks and related infrastructure
- **Research:** Study ransomware ecosystem evolution and tactics
- **Security Operations:** Proactive threat hunting and IOC development

## Learning Objectives

By the end of this workshop, you will be able to:
1. Query recent ransomware activities and victim posts
2. Extract and analyze onion addresses from ransomware group infrastructure
3. Perform detailed analysis of Tor hidden services
4. Correlate ransomware group activities with their infrastructure
5. Build comprehensive threat intelligence profiles of ransomware operations

## Exercises

### API Setup and Configuration

Both RansomLook and OnionLookup provide public APIs that don't require authentication for basic queries. We'll configure HTTP sessions to interact with both services efficiently.

**Service Endpoints:**
- **RansomLook:** https://www.ransomlook.io/api/
- **OnionLookup:** https://onion.ail-project.org/api/

**Security Considerations:**
- These APIs provide access to sensitive threat intelligence data
- Some information may relate to active criminal operations
- Use responsibly for legitimate security research and defense purposes

In [1]:
import requests
import json
from datetime import datetime

# Configure HTTP sessions for API communication
print("Configuring API sessions for RansomLook and OnionLookup...")

# RansomLook session configuration
ransomlook = requests.Session()

# OnionLookup session configuration  
onionlookup = requests.Session()

print("API sessions configured successfully!")
print("Ready to query RansomLook and OnionLookup services.")

Configuring API sessions for RansomLook and OnionLookup...
API sessions configured successfully!
Ready to query RansomLook and OnionLookup services.


### Exercise 1.0: Retrieve Recent Ransomware Posts

**Objective:** Query the most recent ransomware group activities and victim announcements from RansomLook.

**Understanding Ransomware Posts:**
Ransomware groups typically publish information about their activities on dark web platforms, including:
- **Victim Announcements:** Public naming and shaming of organizations that refuse to pay
- **Proof of Data Theft:** Screenshots or file listings as evidence of successful breaches
- **Extortion Threats:** Deadlines and consequences for non-payment
- **Group Communications:** Updates on operations, tools, and recruitment

**API Endpoint:** `https://www.ransomlook.io/api/recent/[limit]`

**Analysis Questions:**
- Which ransomware groups are currently most active?
- What types of organizations are being targeted?
- Are there patterns in posting frequency or timing?

In [8]:
# Query recent ransomware posts from RansomLook
limit = 5
print(f"Retrieving the {limit} most recent ransomware posts...")
print("This provides current threat intelligence on active ransomware campaigns.")

try:
    response = ransomlook.get(f'https://www.ransomlook.io/api/recent/{limit}')
    response.raise_for_status()
    posts = response.json()
    
    if posts:
        print(f"\nSuccessfully retrieved {len(posts)} recent posts!")
        print(f"Recent Ransomware Activity Report")
        print("=" * 50)
        
        # Analyze and display each post
        groups_seen = set()
        for i, post in enumerate(posts, 1):
            print(f"\nPost #{i}:")
            print(f"  Group: {post.get('group_name', 'Unknown')}")
            print(f"  Title: {post.get('post_title', 'No title')}")
            print(f"  Discovered: {post.get('discovered', 'Unknown date')}")
            
            # Extract additional details if available
            if 'description' in post:
                print(f"  Description: {post['description']}")
            
            if 'website' in post:
                print(f"  Source: {post['website']}")
                
            groups_seen.add(post.get('group_name', 'Unknown'))
        
        # Summary analysis
        print(f"\nAnalysis Summary:")
        print(f"Active ransomware groups: {len(groups_seen)}")
        print(f"Groups observed: {', '.join(sorted(groups_seen))}")
        print(f"Data collection time: {datetime.now().strftime('%Y-%m-%d %H:%M:%S')}")
    else:
        print("No recent posts found.")
        
except requests.exceptions.RequestException as e:
    print(f"Error retrieving recent posts: {e}")
    print("Please check network connectivity and API availability.")
except json.JSONDecodeError as e:
    print(f"Error parsing response data: {e}")
except Exception as e:
    print(f"Unexpected error: {e}")

Retrieving the 5 most recent ransomware posts...
This provides current threat intelligence on active ransomware campaigns.

Successfully retrieved 5 recent posts!
Recent Ransomware Activity Report

Post #1:
  Group: sarcoma
  Title: Paul Hildebrandt
  Discovered: 2025-11-11 09:25:15.330841
  Description: Site: hildebrandt.de
														Industry: Manufacturing
														GEO: Germany

Post #2:
  Group: safepay
  Title: himmelstein.com
  Discovered: 2025-11-11 08:25:05.471987
  Description: S. Himmelstein & Company is a U.S.-based specialist manufacturer founded in 1960, headquartered in Hoffman Estates, Illinois. The company focuses â€¦

Post #3:
  Group: nightspire
  Title: Vascara, Vietnam
  Discovered: 2025-11-11 02:25:43.209555
  Description: 

Post #4:
  Group: everest
  Title: SIAD
  Discovered: 2025-11-11 02:25:38.719498
  Description: 

Post #5:
  Group: everest
  Title: AGFA
  Discovered: 2025-11-11 02:25:37.776911
  Description: 

Analysis Summary:
Active ransomware grou

### Exercise 1.1: Extract Onion Addresses from Ransomware Groups

**Objective:** Discover and catalog the Tor hidden service infrastructure used by ransomware groups.

**Understanding Ransomware Infrastructure:**
Ransomware groups rely heavily on Tor hidden services for their operations:
- **Leak Sites:** Where stolen data is published and victims are named
- **Payment Portals:** Secure channels for ransom negotiations and payments
- **Communication Channels:** Internal group communications and recruitment
- **Administrative Panels:** Management interfaces for ransomware operations
- **Data Storage:** Hosting stolen files for download or verification

**Why Onion Address Intelligence Matters:**
- **Infrastructure Mapping:** Understand the scope of ransomware operations
- **Threat Hunting:** Track and monitor ransomware group activities
- **Attribution:** Link different campaigns to the same threat actors
- **Disruption:** Provide intelligence for takedown operations
- **Defense:** Block access to known ransomware infrastructure

**Onion Address Characteristics:**
- **Version 3 Addresses:** 56-character addresses ending in .onion
- **Persistent Infrastructure:** Often reused across multiple campaigns
- **Redundancy:** Groups typically maintain multiple mirrors
- **Evolution:** Addresses change in response to takedowns or operational security

**Data Collection Process:**
1. Query group-specific posts and activities
2. Extract location/infrastructure information from posts
3. Filter for .onion domains from the extracted data
4. Catalog unique onion addresses per ransomware group

**API Endpoint:** `https://www.ransomlook.io/api/group/[name]`

**Security Considerations:**
- These addresses may lead to active criminal infrastructure
- Do not visit these addresses without proper security precautions
- Use this intelligence for defensive and research purposes only

**Analysis Questions:**
- How many unique onion addresses does each group maintain?
- Are there shared infrastructure patterns between groups?
- How frequently do groups change their onion addresses?

In [9]:
# Extract onion addresses from ransomware group infrastructure
print("Extracting onion addresses from ransomware group infrastructure...")
print("This will map the dark web infrastructure used by active groups.")

onion_urls = {}
total_posts_processed = 0
total_onions_found = 0

try:
    if 'posts' in locals() and posts:
        print(f"\nProcessing {len(posts)} groups from recent posts...")
        
        for post in posts:
            group_name = post.get('group_name', 'Unknown')
            print(f"\nAnalyzing group: {group_name}")
            
            try:
                # Query group-specific information
                group_response = ransomlook.get(f"https://www.ransomlook.io/api/group/{group_name}")
                group_response.raise_for_status()
                group_posts = group_response.json()
                
                if group_posts:
                    print(f"  Retrieved {len(group_posts)} posts for {group_name}")
                    total_posts_processed += len(group_posts)
                    
                    # Initialize onion URL list for this group
                    onion_urls[group_name] = []
                    
                    # Extract onion addresses from group posts
                    for group_post in group_posts:
                        if 'locations' in group_post:
                            for loc in group_post['locations']:
                                if isinstance(loc, dict) and 'fqdn' in loc:
                                    if loc['fqdn'].endswith('.onion'):
                                        onion_address = loc['fqdn']
                                        if onion_address not in onion_urls[group_name]:
                                            onion_urls[group_name].append(onion_address)
                                            total_onions_found += 1
                    
                    print(f"  Found {len(onion_urls[group_name])} unique onion addresses")
                
                else:
                    print(f"  No posts found for {group_name}")
                    onion_urls[group_name] = []
                    
            except requests.exceptions.RequestException as e:
                print(f"  Error querying {group_name}: {e}")
                onion_urls[group_name] = []
            except Exception as e:
                print(f"  Unexpected error processing {group_name}: {e}")
                onion_urls[group_name] = []
        
        # Display comprehensive results
        print(f"\nRansomware Group Infrastructure Analysis")
        print("=" * 45)
        
        groups_with_onions = 0
        for group, urls in onion_urls.items():
            if urls:
                groups_with_onions += 1
                print(f"\n{group}:")
                for i, url in enumerate(urls, 1):
                    print(f"  {i}. {url}")
            else:
                print(f"\n{group}: No onion addresses found")
        
        # Summary statistics
        print(f"\nInfrastructure Analysis Summary:")
        print(f"Groups analyzed: {len(onion_urls)}")
        print(f"Groups with onion infrastructure: {groups_with_onions}")
        print(f"Total posts processed: {total_posts_processed}")
        print(f"Total unique onion addresses: {total_onions_found}")
        
        if total_onions_found > 0:
            avg_onions_per_group = total_onions_found / groups_with_onions if groups_with_onions > 0 else 0
            print(f"Average onions per active group: {avg_onions_per_group:.1f}")
        
    else:
        print("No posts data available. Please run the previous exercise first.")
        
except Exception as e:
    print(f"Error during onion address extraction: {e}")
    print("Please ensure the previous exercise completed successfully.")

Extracting onion addresses from ransomware group infrastructure...
This will map the dark web infrastructure used by active groups.

Processing 5 groups from recent posts...

Analyzing group: sarcoma
  Retrieved 2 posts for sarcoma
  Found 124 unique onion addresses

Analyzing group: safepay
  Retrieved 2 posts for safepay
  Found 12 unique onion addresses

Analyzing group: nightspire
  Retrieved 2 posts for nightspire
  Found 4 unique onion addresses

Analyzing group: everest
  Retrieved 2 posts for everest
  Found 6 unique onion addresses

Analyzing group: everest
  Retrieved 2 posts for everest
  Found 6 unique onion addresses

Ransomware Group Infrastructure Analysis

sarcoma:
  1. sarcomawmawlhov7o5mdhz4eszxxlkyaoiyiy2b5iwxnds2dmb4jakad.onion
  2. bi32pq7y3gqq3qacgvamnk2s2elnppvevqp325wtk2wo7vh2zavjcfid.onion
  3. 54yjkjwjqbm74nchm6o6b4l775ws2hgesdopus5jvo3jx6ftj7zn7mid.onion
  4. ngvvafvhfgwknj63ivqjqdxc7b5fyedo67zshblipo5a2zuair5t4nid.onion
  5. icmghe66zl4twvbv5g4h532mogcea44hr

### Exercise 1.2: Analyze Tor Hidden Service Details

**Objective:** Perform deep analysis of a specific onion address to understand its characteristics and operational status.

**Understanding Onion Address Analysis:**
OnionLookup provides comprehensive intelligence about Tor hidden services, including:
- **Service Classification:** Type and purpose of the hidden service
- **Availability History:** Timeline of when the service was accessible
- **Content Analysis:** Screenshots and content fingerprinting
- **Security Assessment:** SSL certificates, HTTP headers, and security configurations
- **Related Services:** Connections to other onion addresses or infrastructure

**Intelligence Value:**
- **Threat Assessment:** Understand the scope and nature of criminal services
- **Infrastructure Tracking:** Monitor changes in threat actor infrastructure
- **Attribution:** Link services to specific threat actors or campaigns
- **Defensive Intelligence:** Develop blocking and detection capabilities

**About This Analysis:**
We'll analyze a known ransomware-related onion address to demonstrate the depth of intelligence available through OnionLookup. This provides insight into:
- How ransomware groups structure their hidden services
- What security measures they implement
- How their infrastructure evolves over time

**API Endpoint:** `https://onion.ail-project.org/api/lookup/[address]`

**Operational Security Notes:**
- This analysis is performed without directly accessing the onion service
- OnionLookup provides safe intelligence without visiting criminal infrastructure
- Data comes from automated crawling and analysis systems

**Analysis Questions:**
- What type of service is hosted at this onion address?
- How long has this service been operational?
- What security measures has the operator implemented?
- Are there connections to other known criminal infrastructure?

In [10]:
# Analyze a specific onion address using OnionLookup
address = 'threeamkelxicjsaf2czjyz2lc4q3ngqkxhhlexyfcp2o6raw4rphyad.onion'
print(f"Analyzing onion address: {address}")
print("Retrieving comprehensive intelligence from OnionLookup...")

try:
    response = onionlookup.get(f"https://onion.ail-project.org/api/lookup/{address}")
    response.raise_for_status()
    data = response.json()
    
    if data:
        print(f"\nOnion Address Intelligence Report")
        print("=" * 50)
        print(f"Target: {address}")
        print(f"Analysis Date: {datetime.now().strftime('%Y-%m-%d %H:%M:%S')}")
        
        # Service Status and Basic Information
        print(f"\nService Status Information:")
        if 'status' in data:
            print(f"  Current Status: {data['status']}")
        if 'first_seen' in data:
            print(f"  First Observed: {data['first_seen']}")
        if 'last_seen' in data:
            print(f"  Last Observed: {data['last_seen']}")
        
        # Service Classification
        print(f"\nService Classification:")
        if 'tags' in data and data['tags']:
            print(f"  Categories: {', '.join(data['tags'])}")
        else:
            print(f"  Categories: Not classified")
            
        if 'service_type' in data:
            print(f"  Service Type: {data['service_type']}")
        
        # Technical Details
        print(f"\nTechnical Information:")
        if 'server' in data:
            print(f"  Server Software: {data['server']}")
        if 'title' in data:
            print(f"  Page Title: {data['title']}")
        if 'content_type' in data:
            print(f"  Content Type: {data['content_type']}")
        
        # Security Information
        print(f"\nSecurity Analysis:")
        if 'ssl' in data:
            ssl_info = data['ssl']
            if isinstance(ssl_info, dict):
                if 'certificate' in ssl_info:
                    print(f"  SSL Certificate: Present")
                if 'issuer' in ssl_info:
                    print(f"  Certificate Issuer: {ssl_info['issuer']}")
            else:
                print(f"  SSL Status: {ssl_info}")
        
        # Content Analysis
        print(f"\nContent Analysis:")
        if 'description' in data:
            desc = data['description'][:200] + "..." if len(data['description']) > 200 else data['description']
            print(f"  Description: {desc}")
        
        if 'language' in data:
            print(f"  Language: {data['language']}")
        
        # Related Intelligence
        print(f"\nRelated Intelligence:")
        if 'related_onions' in data and data['related_onions']:
            print(f"  Related Onion Services: {len(data['related_onions'])}")
            for related in data['related_onions'][:3]:  # Show first 3
                print(f"    - {related}")
            if len(data['related_onions']) > 3:
                print(f"    ... and {len(data['related_onions']) - 3} more")
        else:
            print(f"  Related Services: None identified")
        
        # Historical Activity
        print(f"\nHistorical Activity:")
        if 'uptime_percentage' in data:
            print(f"  Uptime: {data['uptime_percentage']}%")
        if 'total_checks' in data:
            print(f"  Total Availability Checks: {data['total_checks']}")
        
        # Risk Assessment
        print(f"\nRisk Assessment:")
        risk_factors = []
        if 'tags' in data and data['tags']:
            if any('illegal' in tag.lower() or 'criminal' in tag.lower() for tag in data['tags']):
                risk_factors.append("Criminal content classification")
            if any('marketplace' in tag.lower() for tag in data['tags']):
                risk_factors.append("Marketplace functionality")
        
        if risk_factors:
            print(f"  Risk Factors:")
            for factor in risk_factors:
                print(f"    - {factor}")
        else:
            print(f"  Risk Level: Standard monitoring recommended")
        
        # Raw data for detailed analysis (truncated for readability)
        print(f"\nDetailed Technical Data:")
        print("-" * 30)
        
        # Display key fields in organized manner
        key_fields = ['status', 'first_seen', 'last_seen', 'title', 'server', 'content_type']
        for field in key_fields:
            if field in data:
                print(f"{field}: {data[field]}")
        
        # Additional fields if present
        additional_fields = set(data.keys()) - set(key_fields) - {'description', 'tags', 'related_onions'}
        if additional_fields:
            print(f"\nAdditional metadata available: {', '.join(sorted(additional_fields))}")
    
    else:
        print(f"No intelligence data found for address: {address}")
        print("This could indicate:")
        print("  - The address has never been observed by OnionLookup")
        print("  - The address is invalid or malformed")
        print("  - The service has never been accessible")

except requests.exceptions.RequestException as e:
    print(f"Error querying OnionLookup API: {e}")
    print("Please check network connectivity and API availability.")
except json.JSONDecodeError as e:
    print(f"Error parsing OnionLookup response: {e}")
    print("The API may have returned non-JSON data.")
except Exception as e:
    print(f"Unexpected error during onion analysis: {e}")
    print("Please verify the onion address format and try again.")

Analyzing onion address: threeamkelxicjsaf2czjyz2lc4q3ngqkxhhlexyfcp2o6raw4rphyad.onion
Retrieving comprehensive intelligence from OnionLookup...

Onion Address Intelligence Report
Target: threeamkelxicjsaf2czjyz2lc4q3ngqkxhhlexyfcp2o6raw4rphyad.onion
Analysis Date: 2025-11-11 09:42:37

Service Status Information:
  First Observed: 2023-09-15
  Last Observed: 2025-10-06

Service Classification:
  Categories: infoleak:automatic-detection="base64", infoleak:automatic-detection="mail", infoleak:automatic-detection="onion"

Technical Information:

Security Analysis:

Content Analysis:

Related Intelligence:
  Related Services: None identified

Historical Activity:

Risk Assessment:
  Risk Level: Standard monitoring recommended

Detailed Technical Data:
------------------------------
first_seen: 2023-09-15
last_seen: 2025-10-06

Additional metadata available: id, languages, titles


### Homework - Query recent posts and get associated group onion addresses

1. Query the 3 most recent ransomware posts (limit = 3) and print each post's group_name and post_title.
2. From the retrieved posts, extract the groups information and all unique .onion addresses into a list named `onions`. Print the number of unique onions per group and the list.
3. Choose one onion per group (e.g., the first) and call the OnionLookup API to retrieve details. Print the service status (status), first_seen, last_seen, and tags (if present).

Deliverable: a short report that shows
- posts processed.
- number of unique onion addresses found.
- the chosen onion and its one-line summary (status / first_seen / last_seen / tags).

In [None]:

# Your code here...
