├── .gitattributes ├── .gitignore ├── .travis.yml ├── README.md ├── RansomwareOverview.xlsx ├── UpdateJsonDataset ├── GenerateJsonDataset.pyproj ├── Ransomware-Resources.sln ├── download_file.py ├── excel_to_json.py ├── update_json.py └── validate_json.py ├── ransomware_overview.json └── requirements.txt /.gitattributes: -------------------------------------------------------------------------------- 1 | ############################################################################### 2 | # Set default behavior to automatically normalize line endings. 3 | ############################################################################### 4 | * text=auto 5 | 6 | ############################################################################### 7 | # Set default behavior for command prompt diff. 8 | # 9 | # This is need for earlier builds of msysgit that does not have it on by 10 | # default for csharp files. 11 | # Note: This is only used by command line 12 | ############################################################################### 13 | #*.cs diff=csharp 14 | 15 | ############################################################################### 16 | # Set the merge driver for project and solution files 17 | # 18 | # Merging from the command prompt will add diff markers to the files if there 19 | # are conflicts (Merging from VS is not affected by the settings below, in VS 20 | # the diff markers are never inserted). Diff markers may cause the following 21 | # file extensions to fail to load in VS. An alternative would be to treat 22 | # these files as binary and thus will always conflict and require user 23 | # intervention with every merge. To do so, just uncomment the entries below 24 | ############################################################################### 25 | #*.sln merge=binary 26 | #*.csproj merge=binary 27 | #*.vbproj merge=binary 28 | #*.vcxproj merge=binary 29 | #*.vcproj merge=binary 30 | #*.dbproj merge=binary 31 | #*.fsproj merge=binary 32 | #*.lsproj merge=binary 33 | #*.wixproj merge=binary 34 | #*.modelproj merge=binary 35 | #*.sqlproj merge=binary 36 | #*.wwaproj merge=binary 37 | 38 | ############################################################################### 39 | # behavior for image files 40 | # 41 | # image files are treated as binary by default. 42 | ############################################################################### 43 | #*.jpg binary 44 | #*.png binary 45 | #*.gif binary 46 | 47 | ############################################################################### 48 | # diff behavior for common document formats 49 | # 50 | # Convert binary document formats to text before diffing them. This feature 51 | # is only available from the command line. Turn it on by uncommenting the 52 | # entries below. 53 | ############################################################################### 54 | #*.doc diff=astextplain 55 | #*.DOC diff=astextplain 56 | #*.docx diff=astextplain 57 | #*.DOCX diff=astextplain 58 | #*.dot diff=astextplain 59 | #*.DOT diff=astextplain 60 | #*.pdf diff=astextplain 61 | #*.PDF diff=astextplain 62 | #*.rtf diff=astextplain 63 | #*.RTF diff=astextplain 64 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | ## Ignore Visual Studio temporary files, build results, and 2 | ## files generated by popular Visual Studio add-ons. 3 | 4 | # User-specific files 5 | *.suo 6 | *.user 7 | *.userosscache 8 | *.sln.docstates 9 | *.credentials 10 | *.pyc 11 | 12 | # User-specific files (Google API) 13 | client_secret.json 14 | 15 | # User-specific files (MonoDevelop/Xamarin Studio) 16 | *.userprefs 17 | 18 | # Build results 19 | [Dd]ebug/ 20 | [Dd]ebugPublic/ 21 | [Rr]elease/ 22 | [Rr]eleases/ 23 | [Xx]64/ 24 | [Xx]86/ 25 | [Bb]uild/ 26 | bld/ 27 | [Bb]in/ 28 | [Oo]bj/ 29 | 30 | # Visual Studio 2015 cache/options directory 31 | .vs/ 32 | # Uncomment if you have tasks that create the project's static files in wwwroot 33 | #wwwroot/ 34 | 35 | # MSTest test Results 36 | [Tt]est[Rr]esult*/ 37 | [Bb]uild[Ll]og.* 38 | 39 | # NUNIT 40 | *.VisualState.xml 41 | TestResult.xml 42 | 43 | # Build Results of an ATL Project 44 | [Dd]ebugPS/ 45 | [Rr]eleasePS/ 46 | dlldata.c 47 | 48 | # DNX 49 | project.lock.json 50 | artifacts/ 51 | 52 | *_i.c 53 | *_p.c 54 | *_i.h 55 | *.ilk 56 | *.meta 57 | *.obj 58 | *.pch 59 | *.pdb 60 | *.pgc 61 | *.pgd 62 | *.rsp 63 | *.sbr 64 | *.tlb 65 | *.tli 66 | *.tlh 67 | *.tmp 68 | *.tmp_proj 69 | *.log 70 | *.vspscc 71 | *.vssscc 72 | .builds 73 | *.pidb 74 | *.svclog 75 | *.scc 76 | 77 | # Chutzpah Test files 78 | _Chutzpah* 79 | 80 | # Visual C++ cache files 81 | ipch/ 82 | *.aps 83 | *.ncb 84 | *.opendb 85 | *.opensdf 86 | *.sdf 87 | *.cachefile 88 | *.VC.db 89 | 90 | # Visual Studio profiler 91 | *.psess 92 | *.vsp 93 | *.vspx 94 | *.sap 95 | 96 | # TFS 2012 Local Workspace 97 | $tf/ 98 | 99 | # Guidance Automation Toolkit 100 | *.gpState 101 | 102 | # ReSharper is a .NET coding add-in 103 | _ReSharper*/ 104 | *.[Rr]e[Ss]harper 105 | *.DotSettings.user 106 | 107 | # JustCode is a .NET coding add-in 108 | .JustCode 109 | 110 | # TeamCity is a build add-in 111 | _TeamCity* 112 | 113 | # DotCover is a Code Coverage Tool 114 | *.dotCover 115 | 116 | # NCrunch 117 | _NCrunch_* 118 | .*crunch*.local.xml 119 | nCrunchTemp_* 120 | 121 | # MightyMoose 122 | *.mm.* 123 | AutoTest.Net/ 124 | 125 | # Web workbench (sass) 126 | .sass-cache/ 127 | 128 | # Installshield output folder 129 | [Ee]xpress/ 130 | 131 | # DocProject is a documentation generator add-in 132 | DocProject/buildhelp/ 133 | DocProject/Help/*.HxT 134 | DocProject/Help/*.HxC 135 | DocProject/Help/*.hhc 136 | DocProject/Help/*.hhk 137 | DocProject/Help/*.hhp 138 | DocProject/Help/Html2 139 | DocProject/Help/html 140 | 141 | # Click-Once directory 142 | publish/ 143 | 144 | # Publish Web Output 145 | *.[Pp]ublish.xml 146 | *.azurePubxml 147 | 148 | # TODO: Un-comment the next line if you do not want to checkin 149 | # your web deploy settings because they may include unencrypted 150 | # passwords 151 | #*.pubxml 152 | *.publishproj 153 | 154 | # NuGet Packages 155 | *.nupkg 156 | # The packages folder can be ignored because of Package Restore 157 | **/packages/* 158 | # except build/, which is used as an MSBuild target. 159 | !**/packages/build/ 160 | # Uncomment if necessary however generally it will be regenerated when needed 161 | #!**/packages/repositories.config 162 | # NuGet v3's project.json files produces more ignoreable files 163 | *.nuget.props 164 | *.nuget.targets 165 | 166 | # Microsoft Azure Build Output 167 | csx/ 168 | *.build.csdef 169 | 170 | # Microsoft Azure Emulator 171 | ecf/ 172 | rcf/ 173 | 174 | # Microsoft Azure ApplicationInsights config file 175 | ApplicationInsights.config 176 | 177 | # Windows Store app package directory 178 | AppPackages/ 179 | BundleArtifacts/ 180 | 181 | # Visual Studio cache files 182 | # files ending in .cache can be ignored 183 | *.[Cc]ache 184 | # but keep track of directories ending in .cache 185 | !*.[Cc]ache/ 186 | 187 | # Others 188 | ClientBin/ 189 | [Ss]tyle[Cc]op.* 190 | ~$* 191 | *~ 192 | *.dbmdl 193 | *.dbproj.schemaview 194 | *.pfx 195 | *.publishsettings 196 | node_modules/ 197 | orleans.codegen.cs 198 | 199 | # RIA/Silverlight projects 200 | Generated_Code/ 201 | 202 | # Backup & report files from converting an old project file 203 | # to a newer Visual Studio version. Backup files are not needed, 204 | # because we have git ;-) 205 | _UpgradeReport_Files/ 206 | Backup*/ 207 | UpgradeLog*.XML 208 | UpgradeLog*.htm 209 | 210 | # SQL Server files 211 | *.mdf 212 | *.ldf 213 | 214 | # Business Intelligence projects 215 | *.rdl.data 216 | *.bim.layout 217 | *.bim_*.settings 218 | 219 | # Microsoft Fakes 220 | FakesAssemblies/ 221 | 222 | # GhostDoc plugin setting file 223 | *.GhostDoc.xml 224 | 225 | # Node.js Tools for Visual Studio 226 | .ntvs_analysis.dat 227 | 228 | # Visual Studio 6 build log 229 | *.plg 230 | 231 | # Visual Studio 6 workspace options file 232 | *.opt 233 | 234 | # Visual Studio LightSwitch build output 235 | **/*.HTMLClient/GeneratedArtifacts 236 | **/*.DesktopClient/GeneratedArtifacts 237 | **/*.DesktopClient/ModelManifest.xml 238 | **/*.Server/GeneratedArtifacts 239 | **/*.Server/ModelManifest.xml 240 | _Pvt_Extensions 241 | 242 | # LightSwitch generated files 243 | GeneratedArtifacts/ 244 | ModelManifest.xml 245 | 246 | # Paket dependency manager 247 | .paket/paket.exe 248 | 249 | # FAKE - F# Make 250 | .fake/ 251 | /UpdateJsonDataset/__pycache__ 252 | -------------------------------------------------------------------------------- /.travis.yml: -------------------------------------------------------------------------------- 1 | language: python 2 | python: 3.6 3 | 4 | install: 5 | - pip install -r requirements.txt 6 | 7 | # command to run tests 8 | script: nosetests -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | 2 | # Ransomware-Json-Dataset 3 | Compiles a json dataset containing properties to aid in the detection and mitigation of over 1000 variants of ransomware using public sources. 4 | 5 | [![Build Status](https://travis-ci.org/codingo/Ransomware-Json-Dataset.svg?branch=master)](https://travis-ci.org/codingo/Ransomware-Json-Dataset) 6 | [![License](https://img.shields.io/badge/license-GPL3-_red.svg)](https://www.gnu.org/licenses/gpl-3.0.en.html) 7 | [![Python 3.2|3.6](https://img.shields.io/badge/python-3.2|3.6-green.svg)](https://www.python.org/) 8 | [![Twitter](https://img.shields.io/badge/twitter-@codingo__-blue.svg)](https://twitter.com/codingo_) 9 | 10 | 11 | ## Install Dependencies 12 | ``` 13 | pip install -r requirements.txt 14 | ``` 15 | ## Run Updater 16 | ``` 17 | python ./UpdateJsonDataset/update_json.py 18 | ``` 19 | 20 | The latest version of the Ransomware Summary spreadsheet will then be downloaded and processed into a local json output which will be found in the core folder of your local repository along with a copy of the latest version of the spreadsheet. To change the source and destinations for local files edit the constants found in the header of the 'update_json.py' file. 21 | 22 | ## Attribution / Credits 23 | JSON dataset work is based upon the Ransomware Summary public spreadsheet that is managed by the many efforts of Mosh (@nyxbone) and @cyb3rops and can be found at: http://goo.gl/b9R8DE. Spreadsheet data remains the intellectual property of Mosh and is taken 'as-is' and processed into a more programming friendly JSON output to allow its use in various shell or programming operations. Spreadsheet is cloned within this repository for redundancy purposes. 24 | -------------------------------------------------------------------------------- /RansomwareOverview.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/codingo/Ransomware-Json-Dataset/871f9fa27f891fc5dd110518e931bef289265612/RansomwareOverview.xlsx -------------------------------------------------------------------------------- /UpdateJsonDataset/GenerateJsonDataset.pyproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | Debug 5 | 2.0 6 | {177993af-a861-4be0-83da-b3aa3e9df1e7} 7 | 8 | update_json.py 9 | 10 | . 11 | . 12 | {888888a0-9f3d-457c-b088-3a5042f75d52} 13 | Standard Python launcher 14 | 15 | 16 | GenerateJsonDataset 17 | 18 | 19 | 20 | 21 | 10.0 22 | $(MSBuildExtensionsPath32)\Microsoft\VisualStudio\v$(VisualStudioVersion)\Python Tools\Microsoft.PythonTools.targets 23 | 24 | 25 | 26 | Code 27 | 28 | 29 | Code 30 | 31 | 32 | Code 33 | 34 | 35 | Code 36 | 37 | 38 | 39 | 40 | -------------------------------------------------------------------------------- /UpdateJsonDataset/Ransomware-Resources.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio 14 4 | VisualStudioVersion = 14.0.25123.0 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{888888A0-9F3D-457C-B088-3A5042F75D52}") = "GenerateJsonDataset", "GenerateJsonDataset.pyproj", "{177993AF-A861-4BE0-83DA-B3AA3E9DF1E7}" 7 | EndProject 8 | Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "GenerateJsonDataset", "GenerateJsonDataset", "{251C6434-6FC0-4E4B-A179-9BFFE9C7AB95}" 9 | EndProject 10 | Global 11 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 12 | Debug|Any CPU = Debug|Any CPU 13 | Release|Any CPU = Release|Any CPU 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {177993AF-A861-4BE0-83DA-B3AA3E9DF1E7}.Debug|Any CPU.ActiveCfg = Debug|Any CPU 17 | {177993AF-A861-4BE0-83DA-B3AA3E9DF1E7}.Release|Any CPU.ActiveCfg = Release|Any CPU 18 | EndGlobalSection 19 | GlobalSection(SolutionProperties) = preSolution 20 | HideSolutionNode = FALSE 21 | EndGlobalSection 22 | GlobalSection(NestedProjects) = preSolution 23 | {177993AF-A861-4BE0-83DA-B3AA3E9DF1E7} = {251C6434-6FC0-4E4B-A179-9BFFE9C7AB95} 24 | EndGlobalSection 25 | EndGlobal 26 | -------------------------------------------------------------------------------- /UpdateJsonDataset/download_file.py: -------------------------------------------------------------------------------- 1 | import urllib.request 2 | 3 | 4 | def download_file(source, destination): 5 | try: 6 | urllib.request.urlretrieve(source, destination) 7 | except IOError: 8 | print('IOError: An error occured trying to write an updated spreadsheet.') 9 | print('Do you already have it open?') 10 | except urllib.error.URLError: 11 | print('URLError: An error occured trying to download the file. \ 12 | Please check the source and try again.') 13 | -------------------------------------------------------------------------------- /UpdateJsonDataset/excel_to_json.py: -------------------------------------------------------------------------------- 1 | import simplejson as json 2 | import xlrd 3 | from collections import OrderedDict 4 | 5 | 6 | def excel_to_json(filename): 7 | workbook = xlrd.open_workbook(filename) 8 | ransomware_sheet = workbook.sheet_by_index(0) 9 | detection_sheet = workbook.sheet_by_index(2) 10 | 11 | # List to hold dictionaries 12 | c_list = [] 13 | 14 | # Iterate through each row in worksheet and fetch values into dict 15 | for rownum in range(1, ransomware_sheet.nrows): 16 | wares = OrderedDict() 17 | ransomware_values = ransomware_sheet.row_values(rownum) 18 | 19 | if ransomware_values[6] == "": 20 | name = ransomware_values[0] 21 | gre = [name] 22 | elif "," in ransomware_values[6]: 23 | e = ransomware_values[6].split(",") 24 | ge = [ransomware_values[0]] 25 | gre = e+ge 26 | else: 27 | gre = [ransomware_values[0], ransomware_values[6]] 28 | 29 | wares['name'] = gre 30 | wares['extensions'] = ransomware_values[1] 31 | wares['extensionPattern'] = ransomware_values[2] 32 | wares['ransomNoteFilenames'] = ransomware_values[3] 33 | wares['comment'] = ransomware_values[4] 34 | wares['encryptionAlgorithm'] = ransomware_values[5] 35 | wares['decryptor'] = ransomware_values[7] 36 | 37 | if ransomware_values[8] == "": 38 | wares['resources'] = [ransomware_values[9]] 39 | elif ransomware_values[9] == "": 40 | wares['resources'] = [ransomware_values[8]] 41 | else: 42 | wares['resources'] = [ransomware_values[8], ransomware_values[9]] 43 | wares['screenshots'] = ransomware_values[10] 44 | 45 | for r in range(1, detection_sheet.nrows): 46 | detection_values = detection_sheet.row_values(r) 47 | 48 | if ransomware_values[0] == detection_values[0]: 49 | wares['microsoftDetectionName'] = detection_values[1] 50 | wares['microsoftInfo'] = detection_values[2] 51 | wares['sandbox'] = detection_values[3] 52 | wares['iocs'] = detection_values[4] 53 | wares['snort'] = detection_values[5] 54 | 55 | c_list.append(wares) 56 | 57 | # Serialize the list of dicts to JSON 58 | return json.dumps(c_list, indent=4) 59 | -------------------------------------------------------------------------------- /UpdateJsonDataset/update_json.py: -------------------------------------------------------------------------------- 1 | from excel_to_json import excel_to_json 2 | from download_file import download_file 3 | from validate_json import is_json 4 | 5 | 6 | SOURCESHEET = 'https://docs.google.com/spreadsheets' + \ 7 | '/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pub?output=xlsx' 8 | OUTPUTSHEET = '../RansomwareOverview.xlsx' 9 | JSONFILE = '../ransomware_overview.json' 10 | 11 | 12 | def print_banner(): 13 | print(' ____ ____ _ _ ') 14 | print('| _ \ __ _ _ __ ___ ___ _ __ _____ ____ _ _ __ ___ | _ \ __ _| |_ __ _ ___ ___| |_ ') 15 | print('| |_) / _` | \'_ \/ __|/ _ \| \'_ ` _ \ \ /\ / / _` | \'__/ _ \ | | | |/ _` | __/ _` / __|/ _ \ __|') 16 | print('| _ < (_| | | | \__ \ (_) | | | | | \ V V / (_| | | | __/ | |_| | (_| | || (_| \__ \ __/ |_ ') 17 | print('|_| \_\__,_|_| |_|___/\___/|_| |_| |_|\_/\_/ \__,_|_| \___| |____/ \__,_|\__\__,_|___/\___|\__|') 18 | print('Authored by @codingo_') 19 | print('Generates a json dataset of known ransomware from the public Google Spreadsheet originally created by Mosh (@nyxbone) and @cyb3rops.') 20 | 21 | 22 | def write_json_file(json_data, filename): 23 | print('[-] Writing file...') 24 | output = open(filename, 'w') 25 | output.writelines(json_data) 26 | 27 | 28 | def generate_json(source_file, download_destination, json_file): 29 | print('[-] Downloading source spreadsheet...') 30 | download_file(source_file, download_destination) 31 | print('[-] Generating json file...') 32 | write_json_file(excel_to_json(download_destination), json_file) 33 | 34 | 35 | def main(): 36 | print_banner() 37 | generate_json(SOURCESHEET, OUTPUTSHEET, JSONFILE) 38 | print('[-] Validating json file...') 39 | print('Debug: ' + JSONFILE) 40 | if(is_json(JSONFILE)): 41 | print('[!] Successfully generated an updated dataset.') 42 | else: 43 | print('[!] Unable to validate json datafile, please review the sourcesheet and output.') 44 | main() 45 | -------------------------------------------------------------------------------- /UpdateJsonDataset/validate_json.py: -------------------------------------------------------------------------------- 1 | import json 2 | 3 | # return true is json is valid or false if unable to load 4 | def is_json(json_file): 5 | try: 6 | json_object = json.loads(json_file) 7 | except ValueError: 8 | return False 9 | return True -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- 1 | requests==2.20.0 2 | simplejson==3.10.0 3 | xlrd==1.0.0 4 | --------------------------------------------------------------------------------