# AbuseCH Data Scraper

## Ransomware Blacklist

> Ransomware Tracker tracks and monitors the status of domain names, IP addresses and URLs that are associated with Ransomware, such as Botnet C&C servers, distribution sites and payment sites. By using data provided by Ransomware Tracker, hosting- and internet service provider (ISPs), as well as national CERTs/CSIRTs, law enforcement agencies (LEA) and security researchers can receive an overview on infrastructure used by Ransomware and whether these are actively being used by miscreant to commit fraud.

Reference: https://ransomwaretracker.abuse.ch/

In [1]:
from pprint import pprint
from abusech.ransomware import RansomwareBl
ransomware = RansomwareBl()

### Blocklists

> The table below provides separated blocklists for each malware and blocklist type. They allow you to be more specific in what you want to block (e.g. only a certain malware family or blocklist type).

Reference: https://ransomwaretracker.abuse.ch/blocklist/

In [2]:
blocklists = ransomware.get_blocklists()
pprint(blocklists[0])

Blocklist(name='CW_C2_URLBL', malware='cryptowall', scope='c2', type='url', false_positives='low', url='https://ransomwaretracker.abuse.ch/downloads/CW_C2_URLBL.txt')


### Get Blocklist - IpAddress

> false positives are possible, especially with regards to RW_IPBL. IP addresses associated with Ransomware Payment Sites (*_PS_IPBL) or Locky botnet C&Cs (LY_C2_IPBL) stay listed on RW_IPBL for a time of 30 days after the last appearence. This means that an IP address stays listed on RW_IPBL even after the threat has been eliminated (e.g. the VPS / server has been suspended by the hosting provider) for another 30 days.

Reference: https://ransomwaretracker.abuse.ch/blocklist/

In [3]:
data = ransomware.get_blocklist(url='https://ransomwaretracker.abuse.ch/downloads/TC_PS_IPBL.txt')
pprint(data)

['216.218.135.114', '184.105.192.2']


### Get Blocklist - Domain

> Ransomware Tracker offers various types of blocklists that allows you to block Ransomware botnet C&C traffic. The available Ransomware blocklists are documented below. The update interval is 5 minutes.

Reference: https://ransomwaretracker.abuse.ch/blocklist/

In [4]:
data = ransomware.get_blocklist(url='https://ransomwaretracker.abuse.ch/downloads/CW_C2_DOMBL.txt')
pprint(data[0:5])

['anime-tuner.square7.ch',
 'dichiro.com',
 'double-wing.de',
 'dining-bar.com',
 'weberteam.hu']


### Get Blocklist - URL

> Ransomware Tracker offers various types of blocklists that allows you to block Ransomware botnet C&C traffic. The available Ransomware blocklists are documented below. The update interval is 5 minutes.

Reference: https://ransomwaretracker.abuse.ch/blocklist/

In [5]:
data = ransomware.get_blocklist(url='https://ransomwaretracker.abuse.ch/downloads/CW_C2_URLBL.txt')
pprint(data[0:5])

['http://connectao.com/wp-content/themes/twentyeleven/cc.php',
 'http://businessaviators.com/r1doyF.php',
 'http://aditaborai.com.br/WgNGXe.php',
 'http://procrediti.com.ua/d6yGOX.php',
 'http://www.hanecaklaw.com/']


### Tracker Data

> Ransomware Tracker offers feeds for Hosting- and Internet Service Providers, as well as for national CERTs / CSIRTs, Law Enforcement Agencies and other interested parties. The available feeds are described below. Unlike the blocklists provided by Ransomware Tracker, all feeds referenced below are being generated in real time whenever you hit it. Please be advised that it is recommended to not fetch any feed more often than once every 5 minutes.

Reference: https://ransomwaretracker.abuse.ch/feeds/

In [6]:
data = ransomware.get_tracker()
pprint(data[0:5])

[Ransomware(timestamp=datetime.datetime(2018, 8, 12, 0, 46, 13), threat='c2', malware='locky', host='83.217.11.193', url='http://83.217.11.193/linuxsucks.php', status='offline', registrar=None, ipaddress='83.217.11.193', asn=199669, country='ru'),
 Ransomware(timestamp=datetime.datetime(2018, 8, 10, 5, 43, 15), threat='c2', malware='locky', host='pagaldaily.com', url='http://pagaldaily.com/apache_handler.php', status='offline', registrar='Danesco Trading Ltd.', ipaddress='185.82.217.102', asn=59729, country='bg'),
 Ransomware(timestamp=datetime.datetime(2018, 8, 10, 5, 43, 15), threat='c2', malware='locky', host='185.82.217.102', url='http://185.82.217.102/apache_handler.php', status='offline', registrar=None, ipaddress='185.82.217.102', asn=59729, country='bg'),
 Ransomware(timestamp=datetime.datetime(2018, 8, 9, 16, 50, 50), threat='c2', malware='locky', host='91.226.92.204', url='http://91.226.92.204/checkupdate', status='offline', registrar=None, ipaddress='91.226.92.204', asn=1238