connectors
connectors copied to clipboard
Published
20 hours ago •
OpenCTI-Platform
OpenCTI-Platform
Tracking ransomware events
Use case
Tracking Ransomware events
Proposed Solution
Using Ransomware lIve API to track recently published and historical ransomware events
Additional Information
I have built a ransomware connector for tracking newly discovered ransomware victims that can be used to track against customers or clients
Would you be willing to submit a PR?
Yes
We strongly encourage you to submit a PR if you want and whenever you want. If your issue concern a "Community-support" connector, your PR will probably be accepted after some review. If the connector is "Partner-support" or "Filigran-support", a dev team make take over but will base its work on your PR, speeding the process. It will be much appreciated.
I'm having trouble importing history for the ransomware events,
2024-02-19 00:24:32 {"timestamp": "2024-02-18T23:24:32.395184Z", "level": "INFO", "name": "Ransomware Connector", "message": "Ransomware Connector connector last run: 2024-02-18 23:22:07"}
2024-02-19 00:24:32 {"timestamp": "2024-02-18T23:24:32.395515Z", "level": "INFO", "name": "Ransomware Connector", "message": "Ransomware Connector connector will not run, next run in: 0.04 hours"}
2024-02-19 00:24:53 {"timestamp": "2024-02-18T23:24:53.342447Z", "level": "DEBUG", "name": "Ransomware Connector", "message": "PingAlive running."}
2024-02-19 00:24:53 {"timestamp": "2024-02-18T23:24:53.668052Z", "level": "INFO", "name": "Ransomware Connector", "message": "Connector state has been remotely reset", "attributes": {"state": null}}
2024-02-19 00:25:32 {"timestamp": "2024-02-18T23:25:32.396758Z", "level": "INFO", "name": "Ransomware Connector", "message": "Ransomware Connector connector has never run"}
2024-02-19 00:25:32 {"timestamp": "2024-02-18T23:25:32.397149Z", "level": "INFO", "name": "Ransomware Connector", "message": "Ransomware Connector will run!"}
2024-02-19 00:25:32 {"timestamp": "2024-02-18T23:25:32.397265Z", "level": "INFO", "name": "api", "message": "Initiate work", "attributes": {"connector_id": "81e92f94-cdcc-11ee-9b86-37348bc6ea51"}}
2024-02-19 00:25:33 {"timestamp": "2024-02-18T23:25:33.472114Z", "level": "INFO", "name": "Ransomware Connector", "message": "Processing {'country': '', 'discovered': '2021-01-10 00:00:00.000000', 'group_name': 'lorenz', 'post_title': 'Multifeeder', 'post_url': '', 'published': '2021-01-10 00:00:00.000000', 'screenshot': ''}."}
2024-02-19 00:25:33 {"timestamp": "2024-02-18T23:25:33.475756Z", "level": "INFO", "name": "Ransomware Connector", "message": "Sending {\"type\": \"bundle\", \"id\": \"bundle--c57436bf-a725-4478-a1ed-bdf83e3622ab\", \"objects\": [{\"type\": \"report\", \"spec_version\": \"2.1\", \"id\": \"report--db465a0e-0cc4-4f79-9e21-414f44c4acd6\", \"created\": \"2021-01-10T00:00:00.000Z\", \"modified\": \"2024-02-18T23:25:33.473651Z\", \"name\": \"Multifeeder\", \"report_types\": [\"Ransomware-report\"], \"published\": \"2021-01-10T00:00:00Z\", \"object_refs\": [\"threat-actor--3bf5214d-b0d1-4a2b-a72d-fac5990291c7\"]}, {\"type\": \"identity\", \"spec_version\": \"2.1\", \"id\": \"identity--a0723b98-d949-432f-b36b-378e72ff8d53\", \"created\": \"2024-02-18T23:25:33.472853Z\", \"modified\": \"2024-02-18T23:25:33.472853Z\", \"name\": \"Multifeeder\", \"identity_class\": \"organisation\"}, {\"type\": \"threat-actor\", \"spec_version\": \"2.1\", \"id\": \"threat-actor--3bf5214d-b0d1-4a2b-a72d-fac5990291c7\", \"created\": \"2024-02-18T23:25:33.472269Z\", \"modified\": \"2024-02-18T23:25:33.472269Z\", \"name\": \"lorenz\", \"labels\": [\"ransomware\"]}, {\"type\": \"relationship\", \"spec_version\": \"2.1\", \"id\": \"relationship--3cbe37a1-39ef-47ec-a3ef-47c4cd56d676\", \"created\": \"2024-02-18T23:25:33.474463Z\", \"modified\": \"2024-02-18T23:25:33.474463Z\", \"relationship_type\": \"attributed-to\", \"source_ref\": \"threat-actor--3bf5214d-b0d1-4a2b-a72d-fac5990291c7\", \"target_ref\": \"identity--a0723b98-d949-432f-b36b-378e72ff8d53\"}, {\"type\": \"relationship\", \"spec_version\": \"2.1\", \"id\": \"relationship--0741040f-6252-4af8-b060-8dede91e3594\", \"created\": \"2024-02-18T23:25:33.47463Z\", \"modified\": \"2024-02-18T23:25:33.47463Z\", \"relationship_type\": \"targets\", \"source_ref\": \"threat-actor--3bf5214d-b0d1-4a2b-a72d-fac5990291c7\", \"target_ref\": \"identity--a0723b98-d949-432f-b36b-378e72ff8d53\"}, {\"type\": \"relationship\", \"spec_version\": \"2.1\", \"id\": \"relationship--0dcaf5cd-f2ea-4b9b-84ef-57654fb0c9e7\", \"created\": \"2024-02-18T23:25:33.474775Z\", \"modified\": \"2024-02-18T23:25:33.474775Z\", \"relationship_type\": \"attributed-to\", \"source_ref\": \"report--db465a0e-0cc4-4f79-9e21-414f44c4acd6\", \"target_ref\": \"identity--a0723b98-d949-432f-b36b-378e72ff8d53\"}, {\"type\": \"relationship\", \"spec_version\": \"2.1\", \"id\": \"relationship--834fe526-9659-4b44-ba0b-b2d8280aa85d\", \"created\": \"2024-02-18T23:25:33.474918Z\", \"modified\": \"2024-02-18T23:25:33.474918Z\", \"relationship_type\": \"related-to\", \"source_ref\": \"report--db465a0e-0cc4-4f79-9e21-414f44c4acd6\", \"target_ref\": \"threat-actor--3bf5214d-b0d1-4a2b-a72d-fac5990291c7\"}, {\"type\": \"relationship\", \"spec_version\": \"2.1\", \"id\": \"relationship--f2deac19-7412-4a71-967d-e2c3bf70f603\", \"created\": \"2024-02-18T23:25:33.475062Z\", \"modified\": \"2024-02-18T23:25:33.475062Z\", \"relationship_type\": \"related-to\", \"source_ref\": \"threat-actor--3bf5214d-b0d1-4a2b-a72d-fac5990291c7\", \"target_ref\": \"report--db465a0e-0cc4-4f79-9e21-414f44c4acd6\"}]} STIX objects to collect_intellegince."}
2024-02-19 00:25:33 {"timestamp": "2024-02-18T23:25:33.475876Z", "level": "INFO", "name": "Ransomware Connector", "message": "Processing {'country': '', 'discovered': '2021-01-26 00:00:00.000000', 'group_name': 'ragnarlocker', 'post_title': 'Ludwig Pfeiffer Leaked', 'post_url': '', 'published': '2021-01-26 00:00:00.000000', 'screenshot': ''}."}
2024-02-19 00:23:27 OpenCTI API is not reachable. Waiting for OpenCTI API to start or check your configuration...
2024-02-19 00:25:33 {"timestamp": "2024-02-18T23:25:33.477901Z", "level": "INFO", "name": "Ransomware Connector", "message": "Sending {\"type\": \"bundle\", \"id\": \"bundle--84ac7841-7fc3-48c5-8963-2109e94df17c\", \"objects\": [{\"type\": \"report\", \"spec_version\": \"2.1\", \"id\": \"report--448e68b6-b3da-4fd1-b782-500ea08672e1\", \"created\": \"2021-01-26T00:00:00.000Z\", \"modified\": \"2024-02-18T23:25:33.476274Z\", \"name\": \"Ludwig Pfeiffer Leaked\", \"report_types\": [\"Ransomware-report\"], \"published\": \"2021-01-26T00:00:00Z\", \"object_refs\": [\"threat-actor--f36ac629-fa09-4f07-b10e-a4e810b6e96f\"]}, {\"type\": \"identity\", \"spec_version\": \"2.1\", \"id\": \"identity--244cef05-6cd7-4b83-8256-b62d4f2c213a\", \"created\": \"2024-02-18T23:25:33.476085Z\", \"modified\": \"2024-02-18T23:25:33.476085Z\", \"name\": \"Ludwig Pfeiffer Leaked\", \"identity_class\": \"organisation\"}, {\"type\": \"threat-actor\", \"spec_version\": \"2.1\", \"id\": \"threat-actor--f36ac629-fa09-4f07-b10e-a4e810b6e96f\", \"created\": \"2024-02-18T23:25:33.475904Z\", \"modified\": \"2024-02-18T23:25:33.475904Z\", \"name\": \"ragnarlocker\", \"labels\": [\"ransomware\"]}, {\"type\": \"relationship\", \"spec_version\": \"2.1\", \"id\": \"relationship--ea55f6fc-7c40-429d-a163-00c1c3a1b04c\", \"created\": \"2024-02-18T23:25:33.476476Z\", \"modified\": \"2024-02-18T23:25:33.476476Z\", \"relationship_type\": \"attributed-to\", \"source_ref\": \"threat-actor--f36ac629-fa09-4f07-b10e-a4e810b6e96f\", \"target_ref\": \"identity--244cef05-6cd7-4b83-8256-b62d4f2c213a\"}, {\"type\": \"relationship\", \"spec_version\": \"2.1\", \"id\": \"relationship--438f1e8f-d4ad-4656-8c80-2a1efcc97091\", \"created\": \"2024-02-18T23:25:33.476651Z\", \"modified\": \"2024-02-18T23:25:33.476651Z\", \"relationship_type\": \"targets\", \"source_ref\": \"threat-actor--f36ac629-fa09-4f07-b10e-a4e810b6e96f\", \"target_ref\": \"identity--244cef05-6cd7-4b83-8256-b62d4f2c213a\"}, {\"type\": \"relationship\", \"spec_version\": \"2.1\", \"id\": \"relationship--47daf8ca-d1d5-4b36-8360-bfa413b0e08d\", \"created\": \"2024-02-18T23:25:33.476801Z\", \"modified\": \"2024-02-18T23:25:33.476801Z\", \"relationship_type\": \"attributed-to\", \"source_ref\": \"report--448e68b6-b3da-4fd1-b782-500ea08672e1\", \"target_ref\": \"identity--244cef05-6cd7-4b83-8256-b62d4f2c213a\"}, {\"type\": \"relationship\", \"spec_version\": \"2.1\", \"id\": \"relationship--202c5d95-077e-455b-b085-356e42f20855\", \"created\": \"2024-02-18T23:25:33.476964Z\", \"modified\": \"2024-02-18T23:25:33.476964Z\", \"relationship_type\": \"related-to\", \"source_ref\": \"report--448e68b6-b3da-4fd1-b782-500ea08672e1\", \"target_ref\": \"threat-actor--f36ac629-fa09-4f07-b10e-a4e810b6e96f\"}, {\"type\": \"relationship\", \"spec_version\": \"2.1\", \"id\": \"relationship--f3225bb4-244f-408c-8639-f53186bb0d6a\", \"created\": \"2024-02-18T23:25:33.477117Z\", \"modified\": \"2024-02-18T23:25:33.477117Z\", \"relationship_type\": \"related-to\", \"source_ref\": \"threat-actor--f36ac629-fa09-4f07-b10e-a4e810b6e96f\", \"target_ref\": \"report--448e68b6-b3da-4fd1-b782-500ea08672e1\"}]} STIX objects to collect_intellegince."}
2024-02-19 00:25:33 {"timestamp": "2024-02-18T23:25:33.482790Z", "level": "INFO", "name": "Ransomware Connector", "message": "Sending [Report(type='report', spec_version='2.1', id='report--db465a0e-0cc4-4f79-9e21-414f44c4acd6', created='2021-01-10T00:00:00.000Z', modified='2024-02-18T23:25:33.473651Z', name='Multifeeder', report_types=['Ransomware-report'], published='2021-01-10T00:00:00Z', object_refs=['threat-actor--3bf5214d-b0d1-4a2b-a72d-fac5990291c7'], revoked=False), Identity(type='identity', spec_version='2.1', id='identity--a0723b98-d949-432f-b36b-378e72ff8d53', created='2024-02-18T23:25:33.472853Z', modified='2024-02-18T23:25:33.472853Z', name='Multifeeder', identity_class='organisation', revoked=False), ThreatActor(type='threat-actor', spec_version='2.1', id='threat-actor--3bf5214d-b0d1-4a2b-a72d-fac5990291c7', created='2024-02-18T23:25:33.472269Z', modified='2024-02-18T23:25:33.472269Z', name='lorenz', revoked=False, labels=['ransomware']), Relationship(type='relationship', spec_version='2.1', id='relationship--3cbe37a1-39ef-47ec-a3ef-47c4cd56d676', created='2024-02-18T23:25:33.474463Z', modified='2024-02-18T23:25:33.474463Z', relationship_type='attributed-to', source_ref='threat-actor--3bf5214d-b0d1-4a2b-a72d-fac5990291c7', target_ref='identity--a0723b98-d949-432f-b36b-378e72ff8d53', revoked=False), Relationship(type='relationship', spec_version='2.1', id='relationship--0741040f-6252-4af8-b060-8dede91e3594', created='2024-02-18T23:25:33.47463Z', modified='2024-02-18T23:25:33.47463Z', relationship_type='targets', source_ref='threat-actor--3bf5214d-b0d1-4a2b-a72d-fac5990291c7', target_ref='identity--a0723b98-d949-432f-b36b-378e72ff8d53', revoked=False), Relationship(type='relationship', spec_version='2.1', id='relationship--0dcaf5cd-f2ea-4b9b-84ef-57654fb0c9e7', created='2024-02-18T23:25:33.474775Z', modified='2024-02-18T23:25:33.474775Z', relationship_type='attributed-to', source_ref='report--db465a0e-0cc4-4f79-9e21-414f44c4acd6', target_ref='identity--a0723b98-d949-432f-b36b-378e72ff8d53', revoked=False), Relationship(type='relationship', spec_version='2.1', id='relationship--834fe526-9659-4b44-ba0b-b2d8280aa85d', created='2024-02-18T23:25:33.474918Z', modified='2024-02-18T23:25:33.474918Z', relationship_type='related-to', source_ref='report--db465a0e-0cc4-4f79-9e21-414f44c4acd6', target_ref='threat-actor--3bf5214d-b0d1-4a2b-a72d-fac5990291c7', revoked=False), Relationship(type='relationship', spec_version='2.1', id='relationship--f2deac19-7412-4a71-967d-e2c3bf70f603', created='2024-02-18T23:25:33.475062Z', modified='2024-02-18T23:25:33.475062Z', relationship_type='related-to', source_ref='threat-actor--3bf5214d-b0d1-4a2b-a72d-fac5990291c7', target_ref='report--db465a0e-0cc4-4f79-9e21-414f44c4acd6', revoked=False), Report(type='report', spec_version='2.1', id='report--448e68b6-b3da-4fd1-b782-500ea08672e1', created='2021-01-26T00:00:00.000Z', modified='2024-02-18T23:25:33.476274Z', name='Ludwig Pfeiffer Leaked', report_types=['Ransomware-report'], published='2021-01-26T00:00:00Z', object_refs=['threat-actor--f36ac629-fa09-4f07-b10e-a4e810b6e96f'], revoked=False), Identity(type='identity', spec_version='2.1', id='identity--244cef05-6cd7-4b83-8256-b62d4f2c213a', created='2024-02-18T23:25:33.476085Z', modified='2024-02-18T23:25:33.476085Z', name='Ludwig Pfeiffer Leaked', identity_class='organisation', revoked=False), ThreatActor(type='threat-actor', spec_version='2.1', id='threat-actor--f36ac629-fa09-4f07-b10e-a4e810b6e96f', created='2024-02-18T23:25:33.475904Z', modified='2024-02-18T23:25:33.475904Z', name='ragnarlocker', revoked=False, labels=['ransomware']), Relationship(type='relationship', spec_version='2.1', id='relationship--ea55f6fc-7c40-429d-a163-00c1c3a1b04c', created='2024-02-18T23:25:33.476476Z', modified='2024-02-18T23:25:33.476476Z', relationship_type='attributed-to', source_ref='threat-actor--f36ac629-fa09-4f07-b10e-a4e810b6e96f', target_ref='identity--244cef05-6cd7-4b83-8256-b62d4f2c213a', revoked=False), Relationship(type='relationship', spec_version='2.1', id='relationship--438f1e8f-d4ad-4656-8c80-2a1efcc97091', created='2024-02-18T23:25:33.476651Z', modified='2024-02-18T23:25:33.476651Z', relationship_type='targets', source_ref='threat-actor--f36ac629-fa09-4f07-b10e-a4e810b6e96f', target_ref='identity--244cef05-6cd7-4b83-8256-b62d4f2c213a', revoked=False), Relationship(type='relationship', spec_version='2.1', id='relationship--47daf8ca-d1d5-4b36-8360-bfa413b0e08d', created='2024-02-18T23:25:33.476801Z', modified='2024-02-18T23:25:33.476801Z', relationship_type='attributed-to', source_ref='report--448e68b6-b3da-4fd1-b782-500ea08672e1', target_ref='identity--244cef05-6cd7-4b83-8256-b62d4f2c213a', revoked=False), Relationship(type='relationship', spec_version='2.1', id='relationship--202c5d95-077e-455b-b085-356e42f20855', created='2024-02-18T23:25:33.476964Z', modified='2024-02-18T23:25:33.476964Z', relationship_type='related-to', source_ref='report--448e68b6-b3da-4fd1-b782-500ea08672e1', target_ref='threat-actor--f36ac629-fa09-4f07-b10e-a4e810b6e96f', revoked=False), Relationship(type='relationship', spec_version='2.1', id='relationship--f3225bb4-244f-408c-8639-f53186bb0d6a', created='2024-02-18T23:25:33.477117Z', modified='2024-02-18T23:25:33.477117Z', relationship_type='related-to', source_ref='threat-actor--f36ac629-fa09-4f07-b10e-a4e810b6e96f', target_ref='report--448e68b6-b3da-4fd1-b782-500ea08672e1', revoked=False)] STIX objects to OpenCTI..."}
2024-02-19 00:25:33 {"timestamp": "2024-02-18T23:25:33.484556Z", "level": "INFO", "name": "api", "message": "Update action expectations", "attributes": {"work_id": "work_81e92f94-cdcc-11ee-9b86-37348bc6ea51_2024-02-18T23:25:32.420Z", "expectations": 16}}
2024-02-19 00:25:33 {"timestamp": "2024-02-18T23:25:33.669081Z", "level": "DEBUG", "name": "Ransomware Connector", "message": "PingAlive running."}
2024-02-19 00:25:33 {"timestamp": "2024-02-18T23:25:33.711295Z", "level": "DEBUG", "name": "Ransomware Connector", "message": "Bundle has been sent"}
2024-02-19 00:25:33 {"timestamp": "2024-02-18T23:25:33.716506Z", "level": "DEBUG", "name": "Ransomware Connector", "message": "Bundle has been sent"}
2024-02-19 00:25:33 {"timestamp": "2024-02-18T23:25:33.721163Z", "level": "DEBUG", "name": "Ransomware Connector", "message": "Bundle has been sent"}
2024-02-19 00:25:33 {"timestamp": "2024-02-18T23:25:33.727572Z", "level": "DEBUG", "name": "Ransomware Connector", "message": "Bundle has been sent"}
2024-02-19 00:25:33 {"timestamp": "2024-02-18T23:25:33.732262Z", "level": "DEBUG", "name": "Ransomware Connector", "message": "Bundle has been sent"}
2024-02-19 00:25:33 {"timestamp": "2024-02-18T23:25:33.736655Z", "level": "DEBUG", "name": "Ransomware Connector", "message": "Bundle has been sent"}
2024-02-19 00:25:33 {"timestamp": "2024-02-18T23:25:33.743803Z", "level": "DEBUG", "name": "Ransomware Connector", "message": "Bundle has been sent"}
2024-02-19 00:25:33 {"timestamp": "2024-02-18T23:25:33.764777Z", "level": "DEBUG", "name": "Ransomware Connector", "message": "Bundle has been sent"}
2024-02-19 00:25:33 {"timestamp": "2024-02-18T23:25:33.779537Z", "level": "DEBUG", "name": "Ransomware Connector", "message": "Bundle has been sent"}
2024-02-19 00:25:33 {"timestamp": "2024-02-18T23:25:33.786679Z", "level": "DEBUG", "name": "Ransomware Connector", "message": "Bundle has been sent"}
2024-02-19 00:25:33 {"timestamp": "2024-02-18T23:25:33.793485Z", "level": "DEBUG", "name": "Ransomware Connector", "message": "Bundle has been sent"}
2024-02-19 00:25:33 {"timestamp": "2024-02-18T23:25:33.799473Z", "level": "DEBUG", "name": "Ransomware Connector", "message": "Bundle has been sent"}
2024-02-19 00:25:33 {"timestamp": "2024-02-18T23:25:33.805552Z", "level": "DEBUG", "name": "Ransomware Connector", "message": "Bundle has been sent"}
2024-02-19 00:25:33 {"timestamp": "2024-02-18T23:25:33.814134Z", "level": "DEBUG", "name": "Ransomware Connector", "message": "Bundle has been sent"}
2024-02-19 00:25:33 {"timestamp": "2024-02-18T23:25:33.831246Z", "level": "DEBUG", "name": "Ransomware Connector", "message": "Bundle has been sent"}
2024-02-19 00:25:33 {"timestamp": "2024-02-18T23:25:33.836454Z", "level": "DEBUG", "name": "Ransomware Connector", "message": "Bundle has been sent"}
2024-02-19 00:25:33 {"timestamp": "2024-02-18T23:25:33.838769Z", "level": "INFO", "name": "Ransomware Connector", "message": "Ransomware Connector connector successfully run, storing last_run as 1708298732"}
2024-02-19 00:25:33 {"timestamp": "2024-02-18T23:25:33.839311Z", "level": "DEBUG", "name": "Ransomware Connector", "message": "Grabbing current state and update it with last_run: 1708298732"}
2024-02-19 00:25:33 {"timestamp": "2024-02-18T23:25:33.839645Z", "level": "INFO", "name": "api", "message": "Reporting work update_processed", "attributes": {"work_id": "work_81e92f94-cdcc-11ee-9b86-37348bc6ea51_2024-02-18T23:25:32.420Z"}}
2024-02-19 00:25:34 {"timestamp": "2024-02-18T23:25:34.043018Z", "level": "INFO", "name": "Ransomware Connector", "message": "Last_run stored, next run in: 0.08 hours"}
2024-02-19 00:26:14 {"timestamp": "2024-02-18T23:26:14.065282Z", "level": "DEBUG", "name": "Ransomware Connector", "message": "PingAlive running."}
2024-02-19 00:26:34 {"timestamp": "2024-02-18T23:26:34.043616Z", "level": "INFO", "name": "Ransomware Connector", "message": "Ransomware Connector connector last run: 2024-02-18 23:25:32"}
2024-02-19 00:26:34 {"timestamp": "2024-02-18T23:26:34.045028Z", "level": "INFO", "name": "Ransomware Connector", "message": "Ransomware Connector connector will not run, next run in: 0.07 hours"}
2024-02-19 00:26:54 {"timestamp": "2024-02-18T23:26:54.318504Z", "level": "DEBUG", "name": "Ransomware Connector", "message": "PingAlive running."}
2024-02-19 00:27:34 {"timestamp": "2024-02-18T23:27:34.052260Z", "level": "INFO", "name": "Ransomware Connector", "message": "Ransomware Connector connector last run: 2024-02-18 23:25:32"}
2024-02-19 00:27:34 {"timestamp": "2024-02-18T23:27:34.052889Z", "level": "INFO", "name": "Ransomware Connector", "message": "Ransomware Connector connector will not run, next run in: 0.05 hours"}
2024-02-19 00:27:34 {"timestamp": "2024-02-18T23:27:34.634576Z", "level": "DEBUG", "name": "Ransomware Connector", "message": "PingAlive running."}
2024-02-19 00:28:14 {"timestamp": "2024-02-18T23:28:14.905545Z", "level": "DEBUG", "name": "Ransomware Connector", "message": "PingAlive running."}
2024-02-19 00:28:34 {"timestamp": "2024-02-18T23:28:34.056222Z", "level": "INFO", "name": "Ransomware Connector", "message": "Ransomware Connector connector last run: 2024-02-18 23:25:32"}
2024-02-19 00:28:34 {"timestamp": "2024-02-18T23:28:34.056374Z", "level": "INFO", "name": "Ransomware Connector", "message": "Ransomware Connector connector will not run, next run in: 0.03 hours"}
2024-02-19 00:28:55 {"timestamp": "2024-02-18T23:28:55.216590Z", "level": "DEBUG", "name": "Ransomware Connector", "message": "PingAlive running."}
2024-02-19 00:29:34 {"timestamp": "2024-02-18T23:29:34.057728Z", "level": "INFO", "name": "Ransomware Connector", "message": "Ransomware Connector connector last run: 2024-02-18 23:25:32"}
2024-02-19 00:29:34 {"timestamp": "2024-02-18T23:29:34.058003Z", "level": "INFO", "name": "Ransomware Connector", "message": "Ransomware Connector connector will not run, next run in: 0.02 hours"}
2024-02-19 00:29:35 {"timestamp": "2024-02-18T23:29:35.398289Z", "level": "DEBUG", "name": "Ransomware Connector", "message": "PingAlive running."}
2024-02-19 00:30:15 {"timestamp": "2024-02-18T23:30:15.663907Z", "level": "DEBUG", "name": "Ransomware Connector", "message": "PingAlive running."}
2024-02-19 00:30:34 {"timestamp": "2024-02-18T23:30:34.058960Z", "level": "INFO", "name": "Ransomware Connector", "message": "Ransomware Connector connector last run: 2024-02-18 23:25:32"}
2024-02-19 00:30:34 {"timestamp": "2024-02-18T23:30:34.059123Z", "level": "INFO", "name": "Ransomware Connector", "message": "Ransomware Connector will run!"}
2024-02-19 00:30:34 {"timestamp": "2024-02-18T23:30:34.059225Z", "level": "INFO", "name": "api", "message": "Initiate work", "attributes": {"connector_id": "81e92f94-cdcc-11ee-9b86-37348bc6ea51"}}
2024-02-19 00:30:35 {"timestamp": "2024-02-18T23:30:35.602642Z", "level": "INFO", "name": "Ransomware Connector", "message": "Sending [] STIX objects to OpenCTI..."}
2024-02-19 00:30:35 {"timestamp": "2024-02-18T23:30:35.604719Z", "level": "INFO", "name": "Ransomware Connector", "message": "Sending None STIX objects to OpenCTI..."}
2024-02-19 00:30:35 {"timestamp": "2024-02-18T23:30:35.605944Z", "level": "ERROR", "name": "Ransomware Connector", "message": "File data is not a valid bundle", "exc_info": "Traceback (most recent call last):\n File \"/opt/connector/lib/ransomConn.py\", line 346, in run\n self.helper.send_stix2_bundle(\n File \"/usr/local/lib/python3.11/site-packages/pycti/connector/opencti_connector_helper.py\", line 1020, in send_stix2_bundle\n bundles = stix2_splitter.split_bundle(bundle, True, event_version)\n ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n File \"/usr/local/lib/python3.11/site-packages/pycti/utils/opencti_stix2_splitter.py\", line 80, in split_bundle\n raise Exception(\"File data is not a valid bundle\")\nException: File data is not a valid bundle"}
2024-02-19 00:30:35 {"timestamp": "2024-02-18T23:30:35.606042Z", "level": "INFO", "name": "Ransomware Connector", "message": "Ransomware Connector connector successfully run, storing last_run as 1708299034"}
2024-02-19 00:30:35 {"timestamp": "2024-02-18T23:30:35.606106Z", "level": "DEBUG", "name": "Ransomware Connector", "message": "Grabbing current state and update it with last_run: 1708299034"}
2024-02-19 00:30:35 {"timestamp": "2024-02-18T23:30:35.606205Z", "level": "INFO", "name": "api", "message": "Reporting work update_processed", "attributes": {"work_id": "work_81e92f94-cdcc-11ee-9b86-37348bc6ea51_2024-02-18T23:30:34.081Z"}}
2024-02-19 00:30:35 {"timestamp": "2024-02-18T23:30:35.721311Z", "level": "INFO", "name": "Ransomware Connector", "message": "Last_run stored, next run in: 0.08 hours"}
2024-02-19 00:30:56 {"timestamp": "2024-02-18T23:30:56.129616Z", "level": "DEBUG", "name": "Ransomware Connector", "message": "PingAlive running."}
Here is my docker-compose.yml
- CONNECTOR_CONFIDENCE_LEVEL=100 # From 0 (Unknown) to 100 (Fully trusted).
- CONNECTOR_LOG_LEVEL=debug # Log level: debug, info, warn, error, fatal
- CONNECTOR_UPDATE_EXISTING_DATA=false
- CONNECTOR_PULL_HISTORY=true # If true, the connector will pull the history of the data.
- CONNECTOR_HISTORY_START_YEAR=2021 # Data only goes back till 2020
- CONNECTOR_RUN_EVERY=300s # In seconds.
# Connector's custom execution parameters:
I have tried to do a reset several times, and redeployed the container a few times.
I think you can also see on line 3 above in the log that it's being reset too.
Here is a new reset, (I've in my troubleshooting set the first year to 2021 in case there was some issue with the old data but it did not make a difference, it's giving the same error;
2024-02-19 07:51:06 {"timestamp": "2024-02-19T06:51:06.912638Z", "level": "DEBUG", "name": "Ransomware Connector", "message": "PingAlive running."}
2024-02-19 07:51:07 {"timestamp": "2024-02-19T06:51:07.326647Z", "level": "INFO", "name": "Ransomware Connector", "message": "Connector state has been remotely reset", "attributes": {"state": null}}
2024-02-19 07:51:32 {"timestamp": "2024-02-19T06:51:32.551067Z", "level": "INFO", "name": "Ransomware Connector", "message": "Ransomware Connector connector has never run"}
2024-02-19 07:51:32 {"timestamp": "2024-02-19T06:51:32.551196Z", "level": "INFO", "name": "Ransomware Connector", "message": "Ransomware Connector will run!"}
2024-02-19 07:51:32 {"timestamp": "2024-02-19T06:51:32.551275Z", "level": "INFO", "name": "api", "message": "Initiate work", "attributes": {"connector_id": "81e92f94-cdcc-11ee-9b86-37348bc6ea51"}}
2024-02-19 07:51:33 {"timestamp": "2024-02-19T06:51:33.586490Z", "level": "INFO", "name": "Ransomware Connector", "message": "Processing {'country': '', 'discovered': '2021-01-10 00:00:00.000000', 'group_name': 'lorenz', 'post_title': 'Multifeeder', 'post_url': '', 'published': '2021-01-10 00:00:00.000000', 'screenshot': ''}."}
2024-02-19 07:51:33 {"timestamp": "2024-02-19T06:51:33.589158Z", "level": "INFO", "name": "Ransomware Connector", "message": "Sending {\"type\": \"bundle\", \"id\": \"bundle--2101c54a-b203-40e6-85a4-c1200ae4a367\", \"objects\": [{\"type\": \"report\", \"spec_version\": \"2.1\", \"id\": \"report--9ff9d50b-7ce5-4dfb-93fc-71ba653e8422\", \"created\": \"2021-01-10T00:00:00.000Z\", \"modified\": \"2024-02-19T06:51:33.587148Z\", \"name\": \"Multifeeder\", \"report_types\": [\"Ransomware-report\"], \"published\": \"2021-01-10T00:00:00Z\", \"object_refs\": [\"threat-actor--457bd506-8088-4f99-b1a2-1a18529ea5e0\"]}, {\"type\": \"identity\", \"spec_version\": \"2.1\", \"id\": \"identity--73100e66-4510-4ba5-9167-5a0123f7ad48\", \"created\": \"2024-02-19T06:51:33.586933Z\", \"modified\": \"2024-02-19T06:51:33.586933Z\", \"name\": \"Multifeeder\", \"identity_class\": \"organisation\"}, {\"type\": \"threat-actor\", \"spec_version\": \"2.1\", \"id\": \"threat-actor--457bd506-8088-4f99-b1a2-1a18529ea5e0\", \"created\": \"2024-02-19T06:51:33.586574Z\", \"modified\": \"2024-02-19T06:51:33.586574Z\", \"name\": \"lorenz\", \"labels\": [\"ransomware\"]}, {\"type\": \"relationship\", \"spec_version\": \"2.1\", \"id\": \"relationship--d40c768d-aa32-4e8e-bd43-f680d21ae95f\", \"created\": \"2024-02-19T06:51:33.587355Z\", \"modified\": \"2024-02-19T06:51:33.587355Z\", \"relationship_type\": \"attributed-to\", \"source_ref\": \"threat-actor--457bd506-8088-4f99-b1a2-1a18529ea5e0\", \"target_ref\": \"identity--73100e66-4510-4ba5-9167-5a0123f7ad48\"}, {\"type\": \"relationship\", \"spec_version\": \"2.1\", \"id\": \"relationship--8974f599-5f3a-4d06-8622-fecee703e63a\", \"created\": \"2024-02-19T06:51:33.587588Z\", \"modified\": \"2024-02-19T06:51:33.587588Z\", \"relationship_type\": \"targets\", \"source_ref\": \"threat-actor--457bd506-8088-4f99-b1a2-1a18529ea5e0\", \"target_ref\": \"identity--73100e66-4510-4ba5-9167-5a0123f7ad48\"}, {\"type\": \"relationship\", \"spec_version\": \"2.1\", \"id\": \"relationship--feaba03c-5540-457a-a25b-fda3b05b5947\", \"created\": \"2024-02-19T06:51:33.587844Z\", \"modified\": \"2024-02-19T06:51:33.587844Z\", \"relationship_type\": \"attributed-to\", \"source_ref\": \"report--9ff9d50b-7ce5-4dfb-93fc-71ba653e8422\", \"target_ref\": \"identity--73100e66-4510-4ba5-9167-5a0123f7ad48\"}, {\"type\": \"relationship\", \"spec_version\": \"2.1\", \"id\": \"relationship--ee259d29-15cc-46e5-a5fc-d364aaca49de\", \"created\": \"2024-02-19T06:51:33.588106Z\", \"modified\": \"2024-02-19T06:51:33.588106Z\", \"relationship_type\": \"related-to\", \"source_ref\": \"report--9ff9d50b-7ce5-4dfb-93fc-71ba653e8422\", \"target_ref\": \"threat-actor--457bd506-8088-4f99-b1a2-1a18529ea5e0\"}, {\"type\": \"relationship\", \"spec_version\": \"2.1\", \"id\": \"relationship--385e5f16-3fea-47e3-8645-d36bae9465d7\", \"created\": \"2024-02-19T06:51:33.588296Z\", \"modified\": \"2024-02-19T06:51:33.588296Z\", \"relationship_type\": \"related-to\", \"source_ref\": \"threat-actor--457bd506-8088-4f99-b1a2-1a18529ea5e0\", \"target_ref\": \"report--9ff9d50b-7ce5-4dfb-93fc-71ba653e8422\"}]} STIX objects to collect_intellegince."}
2024-02-19 07:51:33 {"timestamp": "2024-02-19T06:51:33.589394Z", "level": "INFO", "name": "Ransomware Connector", "message": "Processing {'country': '', 'discovered': '2021-01-26 00:00:00.000000', 'group_name': 'ragnarlocker', 'post_title': 'Ludwig Pfeiffer Leaked', 'post_url': '', 'published': '2021-01-26 00:00:00.000000', 'screenshot': ''}."}
2024-02-19 07:51:33 {"timestamp": "2024-02-19T06:51:33.591570Z", "level": "INFO", "name": "Ransomware Connector", "message": "Sending {\"type\": \"bundle\", \"id\": \"bundle--56678ae2-fa01-4588-aa6d-799b3464898f\", \"objects\": [{\"type\": \"report\", \"spec_version\": \"2.1\", \"id\": \"report--427e4be8-3561-459b-baa5-ca4ecbdaf40c\", \"created\": \"2021-01-26T00:00:00.000Z\", \"modified\": \"2024-02-19T06:51:33.590048Z\", \"name\": \"Ludwig Pfeiffer Leaked\", \"report_types\": [\"Ransomware-report\"], \"published\": \"2021-01-26T00:00:00Z\", \"object_refs\": [\"threat-actor--81e9a1a6-f0eb-4ace-be70-434869a952f7\"]}, {\"type\": \"identity\", \"spec_version\": \"2.1\", \"id\": \"identity--dfd6e9ef-a280-4ae1-be23-26c3613c496e\", \"created\": \"2024-02-19T06:51:33.589777Z\", \"modified\": \"2024-02-19T06:51:33.589777Z\", \"name\": \"Ludwig Pfeiffer Leaked\", \"identity_class\": \"organisation\"}, {\"type\": \"threat-actor\", \"spec_version\": \"2.1\", \"id\": \"threat-actor--81e9a1a6-f0eb-4ace-be70-434869a952f7\", \"created\": \"2024-02-19T06:51:33.589521Z\", \"modified\": \"2024-02-19T06:51:33.589521Z\", \"name\": \"ragnarlocker\", \"labels\": [\"ransomware\"]}, {\"type\": \"relationship\", \"spec_version\": \"2.1\", \"id\": \"relationship--fddb10e5-eca3-457c-9c8f-dbfe25985e27\", \"created\": \"2024-02-19T06:51:33.590361Z\", \"modified\": \"2024-02-19T06:51:33.590361Z\", \"relationship_type\": \"attributed-to\", \"source_ref\": \"threat-actor--81e9a1a6-f0eb-4ace-be70-434869a952f7\", \"target_ref\": \"identity--dfd6e9ef-a280-4ae1-be23-26c3613c496e\"}, {\"type\": \"relationship\", \"spec_version\": \"2.1\", \"id\": \"relationship--2a24c665-d45b-40ab-b2cb-1b7c8c190051\", \"created\": \"2024-02-19T06:51:33.590628Z\", \"modified\": \"2024-02-19T06:51:33.590628Z\", \"relationship_type\": \"targets\", \"source_ref\": \"threat-actor--81e9a1a6-f0eb-4ace-be70-434869a952f7\", \"target_ref\": \"identity--dfd6e9ef-a280-4ae1-be23-26c3613c496e\"}, {\"type\": \"relationship\", \"spec_version\": \"2.1\", \"id\": \"relationship--8a227587-fa2e-4894-8dd4-7a193f73bdf5\", \"created\": \"2024-02-19T06:51:33.590806Z\", \"modified\": \"2024-02-19T06:51:33.590806Z\", \"relationship_type\": \"attributed-to\", \"source_ref\": \"report--427e4be8-3561-459b-baa5-ca4ecbdaf40c\", \"target_ref\": \"identity--dfd6e9ef-a280-4ae1-be23-26c3613c496e\"}, {\"type\": \"relationship\", \"spec_version\": \"2.1\", \"id\": \"relationship--868611a2-bff3-4739-a2b6-216b7e174bc2\", \"created\": \"2024-02-19T06:51:33.590934Z\", \"modified\": \"2024-02-19T06:51:33.590934Z\", \"relationship_type\": \"related-to\", \"source_ref\": \"report--427e4be8-3561-459b-baa5-ca4ecbdaf40c\", \"target_ref\": \"threat-actor--81e9a1a6-f0eb-4ace-be70-434869a952f7\"}, {\"type\": \"relationship\", \"spec_version\": \"2.1\", \"id\": \"relationship--eb06930b-9805-47b0-bd23-11e71f930b9e\", \"created\": \"2024-02-19T06:51:33.591057Z\", \"modified\": \"2024-02-19T06:51:33.591057Z\", \"relationship_type\": \"related-to\", \"source_ref\": \"threat-actor--81e9a1a6-f0eb-4ace-be70-434869a952f7\", \"target_ref\": \"report--427e4be8-3561-459b-baa5-ca4ecbdaf40c\"}]} STIX objects to collect_intellegince."}
2024-02-19 07:51:33 {"timestamp": "2024-02-19T06:51:33.594585Z", "level": "INFO", "name": "Ransomware Connector", "message": "Sending [Report(type='report', spec_version='2.1', id='report--9ff9d50b-7ce5-4dfb-93fc-71ba653e8422', created='2021-01-10T00:00:00.000Z', modified='2024-02-19T06:51:33.587148Z', name='Multifeeder', report_types=['Ransomware-report'], published='2021-01-10T00:00:00Z', object_refs=['threat-actor--457bd506-8088-4f99-b1a2-1a18529ea5e0'], revoked=False), Identity(type='identity', spec_version='2.1', id='identity--73100e66-4510-4ba5-9167-5a0123f7ad48', created='2024-02-19T06:51:33.586933Z', modified='2024-02-19T06:51:33.586933Z', name='Multifeeder', identity_class='organisation', revoked=False), ThreatActor(type='threat-actor', spec_version='2.1', id='threat-actor--457bd506-8088-4f99-b1a2-1a18529ea5e0', created='2024-02-19T06:51:33.586574Z', modified='2024-02-19T06:51:33.586574Z', name='lorenz', revoked=False, labels=['ransomware']), Relationship(type='relationship', spec_version='2.1', id='relationship--d40c768d-aa32-4e8e-bd43-f680d21ae95f', created='2024-02-19T06:51:33.587355Z', modified='2024-02-19T06:51:33.587355Z', relationship_type='attributed-to', source_ref='threat-actor--457bd506-8088-4f99-b1a2-1a18529ea5e0', target_ref='identity--73100e66-4510-4ba5-9167-5a0123f7ad48', revoked=False), Relationship(type='relationship', spec_version='2.1', id='relationship--8974f599-5f3a-4d06-8622-fecee703e63a', created='2024-02-19T06:51:33.587588Z', modified='2024-02-19T06:51:33.587588Z', relationship_type='targets', source_ref='threat-actor--457bd506-8088-4f99-b1a2-1a18529ea5e0', target_ref='identity--73100e66-4510-4ba5-9167-5a0123f7ad48', revoked=False), Relationship(type='relationship', spec_version='2.1', id='relationship--feaba03c-5540-457a-a25b-fda3b05b5947', created='2024-02-19T06:51:33.587844Z', modified='2024-02-19T06:51:33.587844Z', relationship_type='attributed-to', source_ref='report--9ff9d50b-7ce5-4dfb-93fc-71ba653e8422', target_ref='identity--73100e66-4510-4ba5-9167-5a0123f7ad48', revoked=False), Relationship(type='relationship', spec_version='2.1', id='relationship--ee259d29-15cc-46e5-a5fc-d364aaca49de', created='2024-02-19T06:51:33.588106Z', modified='2024-02-19T06:51:33.588106Z', relationship_type='related-to', source_ref='report--9ff9d50b-7ce5-4dfb-93fc-71ba653e8422', target_ref='threat-actor--457bd506-8088-4f99-b1a2-1a18529ea5e0', revoked=False), Relationship(type='relationship', spec_version='2.1', id='relationship--385e5f16-3fea-47e3-8645-d36bae9465d7', created='2024-02-19T06:51:33.588296Z', modified='2024-02-19T06:51:33.588296Z', relationship_type='related-to', source_ref='threat-actor--457bd506-8088-4f99-b1a2-1a18529ea5e0', target_ref='report--9ff9d50b-7ce5-4dfb-93fc-71ba653e8422', revoked=False), Report(type='report', spec_version='2.1', id='report--427e4be8-3561-459b-baa5-ca4ecbdaf40c', created='2021-01-26T00:00:00.000Z', modified='2024-02-19T06:51:33.590048Z', name='Ludwig Pfeiffer Leaked', report_types=['Ransomware-report'], published='2021-01-26T00:00:00Z', object_refs=['threat-actor--81e9a1a6-f0eb-4ace-be70-434869a952f7'], revoked=False), Identity(type='identity', spec_version='2.1', id='identity--dfd6e9ef-a280-4ae1-be23-26c3613c496e', created='2024-02-19T06:51:33.589777Z', modified='2024-02-19T06:51:33.589777Z', name='Ludwig Pfeiffer Leaked', identity_class='organisation', revoked=False), ThreatActor(type='threat-actor', spec_version='2.1', id='threat-actor--81e9a1a6-f0eb-4ace-be70-434869a952f7', created='2024-02-19T06:51:33.589521Z', modified='2024-02-19T06:51:33.589521Z', name='ragnarlocker', revoked=False, labels=['ransomware']), Relationship(type='relationship', spec_version='2.1', id='relationship--fddb10e5-eca3-457c-9c8f-dbfe25985e27', created='2024-02-19T06:51:33.590361Z', modified='2024-02-19T06:51:33.590361Z', relationship_type='attributed-to', source_ref='threat-actor--81e9a1a6-f0eb-4ace-be70-434869a952f7', target_ref='identity--dfd6e9ef-a280-4ae1-be23-26c3613c496e', revoked=False), Relationship(type='relationship', spec_version='2.1', id='relationship--2a24c665-d45b-40ab-b2cb-1b7c8c190051', created='2024-02-19T06:51:33.590628Z', modified='2024-02-19T06:51:33.590628Z', relationship_type='targets', source_ref='threat-actor--81e9a1a6-f0eb-4ace-be70-434869a952f7', target_ref='identity--dfd6e9ef-a280-4ae1-be23-26c3613c496e', revoked=False), Relationship(type='relationship', spec_version='2.1', id='relationship--8a227587-fa2e-4894-8dd4-7a193f73bdf5', created='2024-02-19T06:51:33.590806Z', modified='2024-02-19T06:51:33.590806Z', relationship_type='attributed-to', source_ref='report--427e4be8-3561-459b-baa5-ca4ecbdaf40c', target_ref='identity--dfd6e9ef-a280-4ae1-be23-26c3613c496e', revoked=False), Relationship(type='relationship', spec_version='2.1', id='relationship--868611a2-bff3-4739-a2b6-216b7e174bc2', created='2024-02-19T06:51:33.590934Z', modified='2024-02-19T06:51:33.590934Z', relationship_type='related-to', source_ref='report--427e4be8-3561-459b-baa5-ca4ecbdaf40c', target_ref='threat-actor--81e9a1a6-f0eb-4ace-be70-434869a952f7', revoked=False), Relationship(type='relationship', spec_version='2.1', id='relationship--eb06930b-9805-47b0-bd23-11e71f930b9e', created='2024-02-19T06:51:33.591057Z', modified='2024-02-19T06:51:33.591057Z', relationship_type='related-to', source_ref='threat-actor--81e9a1a6-f0eb-4ace-be70-434869a952f7', target_ref='report--427e4be8-3561-459b-baa5-ca4ecbdaf40c', revoked=False)] STIX objects to OpenCTI..."}
2024-02-19 07:51:33 {"timestamp": "2024-02-19T06:51:33.595092Z", "level": "INFO", "name": "api", "message": "Update action expectations", "attributes": {"work_id": "work_81e92f94-cdcc-11ee-9b86-37348bc6ea51_2024-02-19T06:51:32.784Z", "expectations": 16}}
2024-02-19 07:51:33 {"timestamp": "2024-02-19T06:51:33.656364Z", "level": "DEBUG", "name": "Ransomware Connector", "message": "Bundle has been sent"}
2024-02-19 07:51:33 {"timestamp": "2024-02-19T06:51:33.665798Z", "level": "DEBUG", "name": "Ransomware Connector", "message": "Bundle has been sent"}
2024-02-19 07:51:33 {"timestamp": "2024-02-19T06:51:33.672087Z", "level": "DEBUG", "name": "Ransomware Connector", "message": "Bundle has been sent"}
2024-02-19 07:51:33 {"timestamp": "2024-02-19T06:51:33.679022Z", "level": "DEBUG", "name": "Ransomware Connector", "message": "Bundle has been sent"}
2024-02-19 07:51:33 {"timestamp": "2024-02-19T06:51:33.687254Z", "level": "DEBUG", "name": "Ransomware Connector", "message": "Bundle has been sent"}
2024-02-19 07:51:33 {"timestamp": "2024-02-19T06:51:33.692867Z", "level": "DEBUG", "name": "Ransomware Connector", "message": "Bundle has been sent"}
2024-02-19 07:51:33 {"timestamp": "2024-02-19T06:51:33.697313Z", "level": "DEBUG", "name": "Ransomware Connector", "message": "Bundle has been sent"}
2024-02-19 07:51:33 {"timestamp": "2024-02-19T06:51:33.701754Z", "level": "DEBUG", "name": "Ransomware Connector", "message": "Bundle has been sent"}
2024-02-19 07:51:33 {"timestamp": "2024-02-19T06:51:33.705969Z", "level": "DEBUG", "name": "Ransomware Connector", "message": "Bundle has been sent"}
2024-02-19 07:51:33 {"timestamp": "2024-02-19T06:51:33.714168Z", "level": "DEBUG", "name": "Ransomware Connector", "message": "Bundle has been sent"}
2024-02-19 07:51:33 {"timestamp": "2024-02-19T06:51:33.719127Z", "level": "DEBUG", "name": "Ransomware Connector", "message": "Bundle has been sent"}
2024-02-19 07:51:33 {"timestamp": "2024-02-19T06:51:33.722868Z", "level": "DEBUG", "name": "Ransomware Connector", "message": "Bundle has been sent"}
2024-02-19 07:51:33 {"timestamp": "2024-02-19T06:51:33.725962Z", "level": "DEBUG", "name": "Ransomware Connector", "message": "Bundle has been sent"}
2024-02-19 07:51:33 {"timestamp": "2024-02-19T06:51:33.729928Z", "level": "DEBUG", "name": "Ransomware Connector", "message": "Bundle has been sent"}
2024-02-19 07:51:33 {"timestamp": "2024-02-19T06:51:33.736141Z", "level": "DEBUG", "name": "Ransomware Connector", "message": "Bundle has been sent"}
2024-02-19 07:51:33 {"timestamp": "2024-02-19T06:51:33.739720Z", "level": "DEBUG", "name": "Ransomware Connector", "message": "Bundle has been sent"}
2024-02-19 07:51:33 {"timestamp": "2024-02-19T06:51:33.741226Z", "level": "INFO", "name": "Ransomware Connector", "message": "Ransomware Connector connector successfully run, storing last_run as 1708325492"}
2024-02-19 07:51:33 {"timestamp": "2024-02-19T06:51:33.741761Z", "level": "DEBUG", "name": "Ransomware Connector", "message": "Grabbing current state and update it with last_run: 1708325492"}
2024-02-19 07:51:33 {"timestamp": "2024-02-19T06:51:33.741942Z", "level": "INFO", "name": "api", "message": "Reporting work update_processed", "attributes": {"work_id": "work_81e92f94-cdcc-11ee-9b86-37348bc6ea51_2024-02-19T06:51:32.784Z"}}
2024-02-19 07:51:33 {"timestamp": "2024-02-19T06:51:33.816203Z", "level": "INFO", "name": "Ransomware Connector", "message": "Last_run stored, next run in: 0.08 hours"}
2024-02-19 07:51:47 {"timestamp": "2024-02-19T06:51:47.326679Z", "level": "DEBUG", "name": "Ransomware Connector", "message": "PingAlive running."}
Not sure if it's related but getting these regularly too;
024-02-19 07:47:31 {"timestamp": "2024-02-19T06:47:31.602858Z", "level": "INFO", "name": "Ransomware Connector", "message": "Ransomware Connector will run!"}
2024-02-19 07:47:31 {"timestamp": "2024-02-19T06:47:31.602938Z", "level": "INFO", "name": "api", "message": "Initiate work", "attributes": {"connector_id": "81e92f94-cdcc-11ee-9b86-37348bc6ea51"}}
2024-02-19 07:47:32 {"timestamp": "2024-02-19T06:47:32.446692Z", "level": "INFO", "name": "Ransomware Connector", "message": "Sending [] STIX objects to OpenCTI..."}
2024-02-19 07:47:32 {"timestamp": "2024-02-19T06:47:32.448987Z", "level": "INFO", "name": "Ransomware Connector", "message": "Sending None STIX objects to OpenCTI..."}
2024-02-19 07:47:32 {"timestamp": "2024-02-19T06:47:32.449707Z", "level": "ERROR", "name": "Ransomware Connector", "message": "File data is not a valid bundle", "exc_info": "Traceback (most recent call last):\n File \"/opt/connector/lib/ransomConn.py\", line 346, in run\n self.helper.send_stix2_bundle(\n File \"/usr/local/lib/python3.11/site-packages/pycti/connector/opencti_connector_helper.py\", line 1020, in send_stix2_bundle\n bundles = stix2_splitter.split_bundle(bundle, True, event_version)\n ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n File \"/usr/local/lib/python3.11/site-packages/pycti/utils/opencti_stix2_splitter.py\", line 80, in split_bundle\n raise Exception(\"File data is not a valid bundle\")\nException: File data is not a valid bundle"}
2024-02-19 07:47:32 {"timestamp": "2024-02-19T06:47:32.452309Z", "level": "INFO", "name": "Ransomware Connector", "message": "Ransomware Connector connector successfully run, storing last_run as 1708325251"}
2024-02-19 07:47:32 {"timestamp": "2024-02-19T06:47:32.452740Z", "level": "DEBUG", "name": "Ransomware Connector", "message": "Grabbing current state and update it with last_run: 1708325251"}
2024-02-19 07:47:32 {"timestamp": "2024-02-19T06:47:32.453235Z", "level": "INFO", "name": "api", "message": "Reporting work update_processed", "attributes": {"work_id": "work_81e92f94-cdcc-11ee-9b86-37348bc6ea51_2024-02-19T06:47:31.611Z"}}
2024-02-19 07:47:32 {"timestamp": "2024-02-19T06:47:32.559546Z", "level": "INFO", "name": "Ransomware Connector", "message": "Last_run stored, next run in: 0.08 hours"}
2024-02-19 07:47:44 {"timestamp": "2024-02-19T06:47:44.812398Z", "level": "DEBUG", "name": "Ransomware Connector", "message": "PingAlive running."}
And one more issue in the logs about "The relationship type attributed-to is not allowed between Report and Organization".
Error in Connector status webui:
{'name': 'FUNCTIONAL_ERROR', 'message': 'The relationship type attributed-to is not allowed between Report and Organization'}
{"type": "bundle", "id": "bundle--3a7f9312-893c-4bb3-a47e-6a037a0f49b1", "spec_version": "2.1", "x_opencti_seq": 4, "objects": [{"type": "relationship", "spec_version": "2.1", "id": "relationship--fd1911d9-abab-42d7-a0de-e781fd3bcfe0", "created": "2024-02-19T06:12:26.212216Z", "modified": "2024-02-19T06:12:26.212216Z", "relationship_type": "attributed-to", "source_ref": "report--63ac271b-cb6a-4c7b-8ab2-5d0bd6e1d451", "target_ref": "identity--16569018-9efb-4fab-b4d4-ffc0189a9d3e", "nb_deps": 4}]}
{"type": "bundle", "id": "bundle--3a7f9312-893c-4bb3-a47e-6a037a0f49b1", "spec_version": "2.1", "x_opencti_seq": 4, "objects": [{"type": "relationship", "spec_version": "2.1", "id": "relationship--bbfc8265-8c03-4ce2-a9bf-a8d3b1e58ccc", "created": "2024-02-19T06:12:26.214537Z", "modified": "2024-02-19T06:12:26.214537Z", "relationship_type": "attributed-to", "source_ref": "report--99c658ff-04b1-4f59-aca0-8229f3f78060", "target_ref": "identity--54aad0c8-bc3f-4783-b0d9-f3996a10294d", "nb_deps": 4}]}
And corresponding Log Entries:
2024-02-19 07:12:25 {"timestamp": "2024-02-19T06:12:25.118936Z", "level": "INFO", "name": "Ransomware Connector", "message": "Ransomware Connector connector last run: 2024-02-19 06:07:24"}
2024-02-19 07:12:25 {"timestamp": "2024-02-19T06:12:25.119031Z", "level": "INFO", "name": "Ransomware Connector", "message": "Ransomware Connector will run!"}
2024-02-19 07:12:25 {"timestamp": "2024-02-19T06:12:25.119079Z", "level": "INFO", "name": "api", "message": "Initiate work", "attributes": {"connector_id": "81e92f94-cdcc-11ee-9b86-37348bc6ea51"}}
2024-02-19 07:12:26 {"timestamp": "2024-02-19T06:12:26.210873Z", "level": "INFO", "name": "Ransomware Connector", "message": "Processing {'country': 'IT', 'description': '', 'discovered': '2024-02-19 06:11:47.754030', 'group_name': 'trisec', 'post_title': 'aivi.it', 'post_url': 'http://orfc3joknhrzscdbuxajypgrvlcawtuagbj7f44ugbosuvavg3dc3zid.onion/aivi.it.html', 'published': '2024-02-19 06:11:47.754001', 'screenshot': 'https://images.ransomware.live/screenshots/posts/4d5e14fd21e735164dca668d6e3535ba.png', 'website': ''}."}
2024-02-19 07:12:26 {"timestamp": "2024-02-19T06:12:26.213387Z", "level": "INFO", "name": "Ransomware Connector", "message": "Sending {\"type\": \"bundle\", \"id\": \"bundle--06d1a6a3-16d0-45c7-990a-86952dd9a225\", \"objects\": [{\"type\": \"report\", \"spec_version\": \"2.1\", \"id\": \"report--63ac271b-cb6a-4c7b-8ab2-5d0bd6e1d451\", \"created\": \"2024-02-19T06:11:47.75403Z\", \"modified\": \"2024-02-19T06:12:26.211686Z\", \"name\": \"aivi.it\", \"description\": \"\", \"report_types\": [\"Ransomware-report\"], \"published\": \"2024-02-19T06:11:47.754001Z\", \"object_refs\": [\"threat-actor--c51352e6-a5ba-4bc6-8c02-09682e54df21\"], \"external_references\": [{\"source_name\": \"ransomware.live\", \"description\": \"This is the screenshot for the ransomware campaign.\", \"url\": \"https://images.ransomware.live/screenshots/posts/4d5e14fd21e735164dca668d6e3535ba.png\"}, {\"source_name\": \"ransomware.live\", \"description\": \"This is the post_url for the ransomware campaign.\", \"url\": \"http://orfc3joknhrzscdbuxajypgrvlcawtuagbj7f44ugbosuvavg3dc3zid.onion/aivi.it.html\"}]}, {\"type\": \"identity\", \"spec_version\": \"2.1\", \"id\": \"identity--16569018-9efb-4fab-b4d4-ffc0189a9d3e\", \"created\": \"2024-02-19T06:12:26.211317Z\", \"modified\": \"2024-02-19T06:12:26.211317Z\", \"name\": \"aivi.it\", \"identity_class\": \"organisation\"}, {\"type\": \"threat-actor\", \"spec_version\": \"2.1\", \"id\": \"threat-actor--c51352e6-a5ba-4bc6-8c02-09682e54df21\", \"created\": \"2024-02-19T06:12:26.210974Z\", \"modified\": \"2024-02-19T06:12:26.210974Z\", \"name\": \"trisec\", \"labels\": [\"ransomware\"]}, {\"type\": \"location\", \"spec_version\": \"2.1\", \"id\": \"location--8dd2d042-9011-418a-a585-985ab6351f84\", \"created\": \"2024-02-19T06:12:26.212571Z\", \"modified\": \"2024-02-19T06:12:26.212571Z\", \"name\": \"IT\", \"country\": \"IT\"}, {\"type\": \"relationship\", \"spec_version\": \"2.1\", \"id\": \"relationship--063b3432-6ee6-4c71-9695-b6dacdd900fa\", \"created\": \"2024-02-19T06:12:26.211941Z\", \"modified\": \"2024-02-19T06:12:26.211941Z\", \"relationship_type\": \"attributed-to\", \"source_ref\": \"threat-actor--c51352e6-a5ba-4bc6-8c02-09682e54df21\", \"target_ref\": \"identity--16569018-9efb-4fab-b4d4-ffc0189a9d3e\"}, {\"type\": \"relationship\", \"spec_version\": \"2.1\", \"id\": \"relationship--bf346f8b-9ae9-450e-a6ce-43c496b367c8\", \"created\": \"2024-02-19T06:12:26.212087Z\", \"modified\": \"2024-02-19T06:12:26.212087Z\", \"relationship_type\": \"targets\", \"source_ref\": \"threat-actor--c51352e6-a5ba-4bc6-8c02-09682e54df21\", \"target_ref\": \"identity--16569018-9efb-4fab-b4d4-ffc0189a9d3e\"}, {\"type\": \"relationship\", \"spec_version\": \"2.1\", \"id\": \"relationship--fd1911d9-abab-42d7-a0de-e781fd3bcfe0\", \"created\": \"2024-02-19T06:12:26.212216Z\", \"modified\": \"2024-02-19T06:12:26.212216Z\", \"relationship_type\": \"attributed-to\", \"source_ref\": \"report--63ac271b-cb6a-4c7b-8ab2-5d0bd6e1d451\", \"target_ref\": \"identity--16569018-9efb-4fab-b4d4-ffc0189a9d3e\"}, {\"type\": \"relationship\", \"spec_version\": \"2.1\", \"id\": \"relationship--db1a2ddf-28a9-44a8-aef3-19473e78ed4c\", \"created\": \"2024-02-19T06:12:26.212336Z\", \"modified\": \"2024-02-19T06:12:26.212336Z\", \"relationship_type\": \"related-to\", \"source_ref\": \"report--63ac271b-cb6a-4c7b-8ab2-5d0bd6e1d451\", \"target_ref\": \"threat-actor--c51352e6-a5ba-4bc6-8c02-09682e54df21\"}, {\"type\": \"relationship\", \"spec_version\": \"2.1\", \"id\": \"relationship--7e1c3f70-e226-4ef5-83f3-b7e069eb2596\", \"created\": \"2024-02-19T06:12:26.212453Z\", \"modified\": \"2024-02-19T06:12:26.212453Z\", \"relationship_type\": \"related-to\", \"source_ref\": \"threat-actor--c51352e6-a5ba-4bc6-8c02-09682e54df21\", \"target_ref\": \"report--63ac271b-cb6a-4c7b-8ab2-5d0bd6e1d451\"}]} STIX objects to collect_intellegince."}
2024-02-19 07:12:26 {"timestamp": "2024-02-19T06:12:26.213553Z", "level": "INFO", "name": "Ransomware Connector", "message": "Processing {'country': 'SE', 'description': '', 'discovered': '2024-02-19 06:11:16.206236', 'group_name': 'trisec', 'post_title': 'ki.se', 'post_url': 'http://orfc3joknhrzscdbuxajypgrvlcawtuagbj7f44ugbosuvavg3dc3zid.onion/cmm.se.html', 'published': '2024-02-19 06:11:16.206212', 'screenshot': 'https://images.ransomware.live/screenshots/posts/482bcb8477783972915fbe8ba33d621b.png', 'website': ''}."}
2024-02-19 07:12:26 {"timestamp": "2024-02-19T06:12:26.215705Z", "level": "INFO", "name": "Ransomware Connector", "message": "Sending {\"type\": \"bundle\", \"id\": \"bundle--7c29fcab-485b-497a-a61d-2ea1e725ff75\", \"objects\": [{\"type\": \"report\", \"spec_version\": \"2.1\", \"id\": \"report--99c658ff-04b1-4f59-aca0-8229f3f78060\", \"created\": \"2024-02-19T06:11:16.206236Z\", \"modified\": \"2024-02-19T06:12:26.214065Z\", \"name\": \"ki.se\", \"description\": \"\", \"report_types\": [\"Ransomware-report\"], \"published\": \"2024-02-19T06:11:16.206212Z\", \"object_refs\": [\"threat-actor--ef51fa2c-91f0-4d4d-915e-8f04dc0a5e94\"], \"external_references\": [{\"source_name\": \"ransomware.live\", \"description\": \"This is the screenshot for the ransomware campaign.\", \"url\": \"https://images.ransomware.live/screenshots/posts/482bcb8477783972915fbe8ba33d621b.png\"}, {\"source_name\": \"ransomware.live\", \"description\": \"This is the post_url for the ransomware campaign.\", \"url\": \"http://orfc3joknhrzscdbuxajypgrvlcawtuagbj7f44ugbosuvavg3dc3zid.onion/cmm.se.html\"}]}, {\"type\": \"identity\", \"spec_version\": \"2.1\", \"id\": \"identity--54aad0c8-bc3f-4783-b0d9-f3996a10294d\", \"created\": \"2024-02-19T06:12:26.213816Z\", \"modified\": \"2024-02-19T06:12:26.213816Z\", \"name\": \"ki.se\", \"identity_class\": \"organisation\"}, {\"type\": \"threat-actor\", \"spec_version\": \"2.1\", \"id\": \"threat-actor--ef51fa2c-91f0-4d4d-915e-8f04dc0a5e94\", \"created\": \"2024-02-19T06:12:26.213604Z\", \"modified\": \"2024-02-19T06:12:26.213604Z\", \"name\": \"trisec\", \"labels\": [\"ransomware\"]}, {\"type\": \"location\", \"spec_version\": \"2.1\", \"id\": \"location--1a44ca9d-50e1-4bae-91a2-99adacb148a3\", \"created\": \"2024-02-19T06:12:26.214914Z\", \"modified\": \"2024-02-19T06:12:26.214914Z\", \"name\": \"SE\", \"country\": \"SE\"}, {\"type\": \"relationship\", \"spec_version\": \"2.1\", \"id\": \"relationship--868bb8c8-2224-43b2-9e6c-1829ae46888a\", \"created\": \"2024-02-19T06:12:26.21425Z\", \"modified\": \"2024-02-19T06:12:26.21425Z\", \"relationship_type\": \"attributed-to\", \"source_ref\": \"threat-actor--ef51fa2c-91f0-4d4d-915e-8f04dc0a5e94\", \"target_ref\": \"identity--54aad0c8-bc3f-4783-b0d9-f3996a10294d\"}, {\"type\": \"relationship\", \"spec_version\": \"2.1\", \"id\": \"relationship--7df2747b-3d9c-45f9-896a-a0bbf8471382\", \"created\": \"2024-02-19T06:12:26.214385Z\", \"modified\": \"2024-02-19T06:12:26.214385Z\", \"relationship_type\": \"targets\", \"source_ref\": \"threat-actor--ef51fa2c-91f0-4d4d-915e-8f04dc0a5e94\", \"target_ref\": \"identity--54aad0c8-bc3f-4783-b0d9-f3996a10294d\"}, {\"type\": \"relationship\", \"spec_version\": \"2.1\", \"id\": \"relationship--bbfc8265-8c03-4ce2-a9bf-a8d3b1e58ccc\", \"created\": \"2024-02-19T06:12:26.214537Z\", \"modified\": \"2024-02-19T06:12:26.214537Z\", \"relationship_type\": \"attributed-to\", \"source_ref\": \"report--99c658ff-04b1-4f59-aca0-8229f3f78060\", \"target_ref\": \"identity--54aad0c8-bc3f-4783-b0d9-f3996a10294d\"}, {\"type\": \"relationship\", \"spec_version\": \"2.1\", \"id\": \"relationship--4dabf3f9-9221-4cd8-9dce-6b0d3b767381\", \"created\": \"2024-02-19T06:12:26.214663Z\", \"modified\": \"2024-02-19T06:12:26.214663Z\", \"relationship_type\": \"related-to\", \"source_ref\": \"report--99c658ff-04b1-4f59-aca0-8229f3f78060\", \"target_ref\": \"threat-actor--ef51fa2c-91f0-4d4d-915e-8f04dc0a5e94\"}, {\"type\": \"relationship\", \"spec_version\": \"2.1\", \"id\": \"relationship--7a7eb73b-8de5-472b-8a72-3e3cf4acccfc\", \"created\": \"2024-02-19T06:12:26.214788Z\", \"modified\": \"2024-02-19T06:12:26.214788Z\", \"relationship_type\": \"related-to\", \"source_ref\": \"threat-actor--ef51fa2c-91f0-4d4d-915e-8f04dc0a5e94\", \"target_ref\": \"report--99c658ff-04b1-4f59-aca0-8229f3f78060\"}]} STIX objects to collect_intellegince."}
2024-02-19 07:12:26 {"timestamp": "2024-02-19T06:12:26.217283Z", "level": "INFO", "name": "Ransomware Connector", "message": "Sending [Report(type='report', spec_version='2.1', id='report--63ac271b-cb6a-4c7b-8ab2-5d0bd6e1d451', created='2024-02-19T06:11:47.75403Z', modified='2024-02-19T06:12:26.211686Z', name='aivi.it', description='', report_types=['Ransomware-report'], published='2024-02-19T06:11:47.754001Z', object_refs=['threat-actor--c51352e6-a5ba-4bc6-8c02-09682e54df21'], revoked=False, external_references=[ExternalReference(source_name='ransomware.live', description='This is the screenshot for the ransomware campaign.', url='https://images.ransomware.live/screenshots/posts/4d5e14fd21e735164dca668d6e3535ba.png'), ExternalReference(source_name='ransomware.live', description='This is the post_url for the ransomware campaign.', url='http://orfc3joknhrzscdbuxajypgrvlcawtuagbj7f44ugbosuvavg3dc3zid.onion/aivi.it.html')]), Identity(type='identity', spec_version='2.1', id='identity--16569018-9efb-4fab-b4d4-ffc0189a9d3e', created='2024-02-19T06:12:26.211317Z', modified='2024-02-19T06:12:26.211317Z', name='aivi.it', identity_class='organisation', revoked=False), ThreatActor(type='threat-actor', spec_version='2.1', id='threat-actor--c51352e6-a5ba-4bc6-8c02-09682e54df21', created='2024-02-19T06:12:26.210974Z', modified='2024-02-19T06:12:26.210974Z', name='trisec', revoked=False, labels=['ransomware']), Location(type='location', spec_version='2.1', id='location--8dd2d042-9011-418a-a585-985ab6351f84', created='2024-02-19T06:12:26.212571Z', modified='2024-02-19T06:12:26.212571Z', name='IT', country='IT', revoked=False), Relationship(type='relationship', spec_version='2.1', id='relationship--063b3432-6ee6-4c71-9695-b6dacdd900fa', created='2024-02-19T06:12:26.211941Z', modified='2024-02-19T06:12:26.211941Z', relationship_type='attributed-to', source_ref='threat-actor--c51352e6-a5ba-4bc6-8c02-09682e54df21', target_ref='identity--16569018-9efb-4fab-b4d4-ffc0189a9d3e', revoked=False), Relationship(type='relationship', spec_version='2.1', id='relationship--bf346f8b-9ae9-450e-a6ce-43c496b367c8', created='2024-02-19T06:12:26.212087Z', modified='2024-02-19T06:12:26.212087Z', relationship_type='targets', source_ref='threat-actor--c51352e6-a5ba-4bc6-8c02-09682e54df21', target_ref='identity--16569018-9efb-4fab-b4d4-ffc0189a9d3e', revoked=False), Relationship(type='relationship', spec_version='2.1', id='relationship--fd1911d9-abab-42d7-a0de-e781fd3bcfe0', created='2024-02-19T06:12:26.212216Z', modified='2024-02-19T06:12:26.212216Z', relationship_type='attributed-to', source_ref='report--63ac271b-cb6a-4c7b-8ab2-5d0bd6e1d451', target_ref='identity--16569018-9efb-4fab-b4d4-ffc0189a9d3e', revoked=False), Relationship(type='relationship', spec_version='2.1', id='relationship--db1a2ddf-28a9-44a8-aef3-19473e78ed4c', created='2024-02-19T06:12:26.212336Z', modified='2024-02-19T06:12:26.212336Z', relationship_type='related-to', source_ref='report--63ac271b-cb6a-4c7b-8ab2-5d0bd6e1d451', target_ref='threat-actor--c51352e6-a5ba-4bc6-8c02-09682e54df21', revoked=False), Relationship(type='relationship', spec_version='2.1', id='relationship--7e1c3f70-e226-4ef5-83f3-b7e069eb2596', created='2024-02-19T06:12:26.212453Z', modified='2024-02-19T06:12:26.212453Z', relationship_type='related-to', source_ref='threat-actor--c51352e6-a5ba-4bc6-8c02-09682e54df21', target_ref='report--63ac271b-cb6a-4c7b-8ab2-5d0bd6e1d451', revoked=False), Report(type='report', spec_version='2.1', id='report--99c658ff-04b1-4f59-aca0-8229f3f78060', created='2024-02-19T06:11:16.206236Z', modified='2024-02-19T06:12:26.214065Z', name='ki.se', description='', report_types=['Ransomware-report'], published='2024-02-19T06:11:16.206212Z', object_refs=['threat-actor--ef51fa2c-91f0-4d4d-915e-8f04dc0a5e94'], revoked=False, external_references=[ExternalReference(source_name='ransomware.live', description='This is the screenshot for the ransomware campaign.', url='https://images.ransomware.live/screenshots/posts/482bcb8477783972915fbe8ba33d621b.png'), ExternalReference(source_name='ransomware.live', description='This is the post_url for the ransomware campaign.', url='http://orfc3joknhrzscdbuxajypgrvlcawtuagbj7f44ugbosuvavg3dc3zid.onion/cmm.se.html')]), Identity(type='identity', spec_version='2.1', id='identity--54aad0c8-bc3f-4783-b0d9-f3996a10294d', created='2024-02-19T06:12:26.213816Z', modified='2024-02-19T06:12:26.213816Z', name='ki.se', identity_class='organisation', revoked=False), ThreatActor(type='threat-actor', spec_version='2.1', id='threat-actor--ef51fa2c-91f0-4d4d-915e-8f04dc0a5e94', created='2024-02-19T06:12:26.213604Z', modified='2024-02-19T06:12:26.213604Z', name='trisec', revoked=False, labels=['ransomware']), Location(type='location', spec_version='2.1', id='location--1a44ca9d-50e1-4bae-91a2-99adacb148a3', created='2024-02-19T06:12:26.214914Z', modified='2024-02-19T06:12:26.214914Z', name='SE', country='SE', revoked=False), Relationship(type='relationship', spec_version='2.1', id='relationship--868bb8c8-2224-43b2-9e6c-1829ae46888a', created='2024-02-19T06:12:26.21425Z', modified='2024-02-19T06:12:26.21425Z', relationship_type='attributed-to', source_ref='threat-actor--ef51fa2c-91f0-4d4d-915e-8f04dc0a5e94', target_ref='identity--54aad0c8-bc3f-4783-b0d9-f3996a10294d', revoked=False), Relationship(type='relationship', spec_version='2.1', id='relationship--7df2747b-3d9c-45f9-896a-a0bbf8471382', created='2024-02-19T06:12:26.214385Z', modified='2024-02-19T06:12:26.214385Z', relationship_type='targets', source_ref='threat-actor--ef51fa2c-91f0-4d4d-915e-8f04dc0a5e94', target_ref='identity--54aad0c8-bc3f-4783-b0d9-f3996a10294d', revoked=False), Relationship(type='relationship', spec_version='2.1', id='relationship--bbfc8265-8c03-4ce2-a9bf-a8d3b1e58ccc', created='2024-02-19T06:12:26.214537Z', modified='2024-02-19T06:12:26.214537Z', relationship_type='attributed-to', source_ref='report--99c658ff-04b1-4f59-aca0-8229f3f78060', target_ref='identity--54aad0c8-bc3f-4783-b0d9-f3996a10294d', revoked=False), Relationship(type='relationship', spec_version='2.1', id='relationship--4dabf3f9-9221-4cd8-9dce-6b0d3b767381', created='2024-02-19T06:12:26.214663Z', modified='2024-02-19T06:12:26.214663Z', relationship_type='related-to', source_ref='report--99c658ff-04b1-4f59-aca0-8229f3f78060', target_ref='threat-actor--ef51fa2c-91f0-4d4d-915e-8f04dc0a5e94', revoked=False), Relationship(type='relationship', spec_version='2.1', id='relationship--7a7eb73b-8de5-472b-8a72-3e3cf4acccfc', created='2024-02-19T06:12:26.214788Z', modified='2024-02-19T06:12:26.214788Z', relationship_type='related-to', source_ref='threat-actor--ef51fa2c-91f0-4d4d-915e-8f04dc0a5e94', target_ref='report--99c658ff-04b1-4f59-aca0-8229f3f78060', revoked=False)] STIX objects to OpenCTI..."}
2024-02-19 07:12:26 {"timestamp": "2024-02-19T06:12:26.220590Z", "level": "INFO", "name": "Ransomware Connector", "message": "Sending [Report(type='report', spec_version='2.1', id='report--63ac271b-cb6a-4c7b-8ab2-5d0bd6e1d451', created='2024-02-19T06:11:47.75403Z', modified='2024-02-19T06:12:26.211686Z', name='aivi.it', description='', report_types=['Ransomware-report'], published='2024-02-19T06:11:47.754001Z', object_refs=['threat-actor--c51352e6-a5ba-4bc6-8c02-09682e54df21'], revoked=False, external_references=[ExternalReference(source_name='ransomware.live', description='This is the screenshot for the ransomware campaign.', url='https://images.ransomware.live/screenshots/posts/4d5e14fd21e735164dca668d6e3535ba.png'), ExternalReference(source_name='ransomware.live', description='This is the post_url for the ransomware campaign.', url='http://orfc3joknhrzscdbuxajypgrvlcawtuagbj7f44ugbosuvavg3dc3zid.onion/aivi.it.html')]), Identity(type='identity', spec_version='2.1', id='identity--16569018-9efb-4fab-b4d4-ffc0189a9d3e', created='2024-02-19T06:12:26.211317Z', modified='2024-02-19T06:12:26.211317Z', name='aivi.it', identity_class='organisation', revoked=False), ThreatActor(type='threat-actor', spec_version='2.1', id='threat-actor--c51352e6-a5ba-4bc6-8c02-09682e54df21', created='2024-02-19T06:12:26.210974Z', modified='2024-02-19T06:12:26.210974Z', name='trisec', revoked=False, labels=['ransomware']), Location(type='location', spec_version='2.1', id='location--8dd2d042-9011-418a-a585-985ab6351f84', created='2024-02-19T06:12:26.212571Z', modified='2024-02-19T06:12:26.212571Z', name='IT', country='IT', revoked=False), Relationship(type='relationship', spec_version='2.1', id='relationship--063b3432-6ee6-4c71-9695-b6dacdd900fa', created='2024-02-19T06:12:26.211941Z', modified='2024-02-19T06:12:26.211941Z', relationship_type='attributed-to', source_ref='threat-actor--c51352e6-a5ba-4bc6-8c02-09682e54df21', target_ref='identity--16569018-9efb-4fab-b4d4-ffc0189a9d3e', revoked=False), Relationship(type='relationship', spec_version='2.1', id='relationship--bf346f8b-9ae9-450e-a6ce-43c496b367c8', created='2024-02-19T06:12:26.212087Z', modified='2024-02-19T06:12:26.212087Z', relationship_type='targets', source_ref='threat-actor--c51352e6-a5ba-4bc6-8c02-09682e54df21', target_ref='identity--16569018-9efb-4fab-b4d4-ffc0189a9d3e', revoked=False), Relationship(type='relationship', spec_version='2.1', id='relationship--fd1911d9-abab-42d7-a0de-e781fd3bcfe0', created='2024-02-19T06:12:26.212216Z', modified='2024-02-19T06:12:26.212216Z', relationship_type='attributed-to', source_ref='report--63ac271b-cb6a-4c7b-8ab2-5d0bd6e1d451', target_ref='identity--16569018-9efb-4fab-b4d4-ffc0189a9d3e', revoked=False), Relationship(type='relationship', spec_version='2.1', id='relationship--db1a2ddf-28a9-44a8-aef3-19473e78ed4c', created='2024-02-19T06:12:26.212336Z', modified='2024-02-19T06:12:26.212336Z', relationship_type='related-to', source_ref='report--63ac271b-cb6a-4c7b-8ab2-5d0bd6e1d451', target_ref='threat-actor--c51352e6-a5ba-4bc6-8c02-09682e54df21', revoked=False), Relationship(type='relationship', spec_version='2.1', id='relationship--7e1c3f70-e226-4ef5-83f3-b7e069eb2596', created='2024-02-19T06:12:26.212453Z', modified='2024-02-19T06:12:26.212453Z', relationship_type='related-to', source_ref='threat-actor--c51352e6-a5ba-4bc6-8c02-09682e54df21', target_ref='report--63ac271b-cb6a-4c7b-8ab2-5d0bd6e1d451', revoked=False), Report(type='report', spec_version='2.1', id='report--99c658ff-04b1-4f59-aca0-8229f3f78060', created='2024-02-19T06:11:16.206236Z', modified='2024-02-19T06:12:26.214065Z', name='ki.se', description='', report_types=['Ransomware-report'], published='2024-02-19T06:11:16.206212Z', object_refs=['threat-actor--ef51fa2c-91f0-4d4d-915e-8f04dc0a5e94'], revoked=False, external_references=[ExternalReference(source_name='ransomware.live', description='This is the screenshot for the ransomware campaign.', url='https://images.ransomware.live/screenshots/posts/482bcb8477783972915fbe8ba33d621b.png'), ExternalReference(source_name='ransomware.live', description='This is the post_url for the ransomware campaign.', url='http://orfc3joknhrzscdbuxajypgrvlcawtuagbj7f44ugbosuvavg3dc3zid.onion/cmm.se.html')]), Identity(type='identity', spec_version='2.1', id='identity--54aad0c8-bc3f-4783-b0d9-f3996a10294d', created='2024-02-19T06:12:26.213816Z', modified='2024-02-19T06:12:26.213816Z', name='ki.se', identity_class='organisation', revoked=False), ThreatActor(type='threat-actor', spec_version='2.1', id='threat-actor--ef51fa2c-91f0-4d4d-915e-8f04dc0a5e94', created='2024-02-19T06:12:26.213604Z', modified='2024-02-19T06:12:26.213604Z', name='trisec', revoked=False, labels=['ransomware']), Location(type='location', spec_version='2.1', id='location--1a44ca9d-50e1-4bae-91a2-99adacb148a3', created='2024-02-19T06:12:26.214914Z', modified='2024-02-19T06:12:26.214914Z', name='SE', country='SE', revoked=False), Relationship(type='relationship', spec_version='2.1', id='relationship--868bb8c8-2224-43b2-9e6c-1829ae46888a', created='2024-02-19T06:12:26.21425Z', modified='2024-02-19T06:12:26.21425Z', relationship_type='attributed-to', source_ref='threat-actor--ef51fa2c-91f0-4d4d-915e-8f04dc0a5e94', target_ref='identity--54aad0c8-bc3f-4783-b0d9-f3996a10294d', revoked=False), Relationship(type='relationship', spec_version='2.1', id='relationship--7df2747b-3d9c-45f9-896a-a0bbf8471382', created='2024-02-19T06:12:26.214385Z', modified='2024-02-19T06:12:26.214385Z', relationship_type='targets', source_ref='threat-actor--ef51fa2c-91f0-4d4d-915e-8f04dc0a5e94', target_ref='identity--54aad0c8-bc3f-4783-b0d9-f3996a10294d', revoked=False), Relationship(type='relationship', spec_version='2.1', id='relationship--bbfc8265-8c03-4ce2-a9bf-a8d3b1e58ccc', created='2024-02-19T06:12:26.214537Z', modified='2024-02-19T06:12:26.214537Z', relationship_type='attributed-to', source_ref='report--99c658ff-04b1-4f59-aca0-8229f3f78060', target_ref='identity--54aad0c8-bc3f-4783-b0d9-f3996a10294d', revoked=False), Relationship(type='relationship', spec_version='2.1', id='relationship--4dabf3f9-9221-4cd8-9dce-6b0d3b767381', created='2024-02-19T06:12:26.214663Z', modified='2024-02-19T06:12:26.214663Z', relationship_type='related-to', source_ref='report--99c658ff-04b1-4f59-aca0-8229f3f78060', target_ref='threat-actor--ef51fa2c-91f0-4d4d-915e-8f04dc0a5e94', revoked=False), Relationship(type='relationship', spec_version='2.1', id='relationship--7a7eb73b-8de5-472b-8a72-3e3cf4acccfc', created='2024-02-19T06:12:26.214788Z', modified='2024-02-19T06:12:26.214788Z', relationship_type='related-to', source_ref='threat-actor--ef51fa2c-91f0-4d4d-915e-8f04dc0a5e94', target_ref='report--99c658ff-04b1-4f59-aca0-8229f3f78060', revoked=False)] STIX objects to OpenCTI..."}
2024-02-19 07:12:26 {"timestamp": "2024-02-19T06:12:26.221221Z", "level": "INFO", "name": "api", "message": "Update action expectations", "attributes": {"work_id": "work_81e92f94-cdcc-11ee-9b86-37348bc6ea51_2024-02-19T06:12:25.322Z", "expectations": 18}}
2024-02-19 07:12:26 {"timestamp": "2024-02-19T06:12:26.329062Z", "level": "DEBUG", "name": "Ransomware Connector", "message": "Bundle has been sent"}
2024-02-19 07:12:26 {"timestamp": "2024-02-19T06:12:26.336067Z", "level": "DEBUG", "name": "Ransomware Connector", "message": "Bundle has been sent"}
2024-02-19 07:12:26 {"timestamp": "2024-02-19T06:12:26.341103Z", "level": "DEBUG", "name": "Ransomware Connector", "message": "Bundle has been sent"}
2024-02-19 07:12:26 {"timestamp": "2024-02-19T06:12:26.346168Z", "level": "DEBUG", "name": "Ransomware Connector", "message": "Bundle has been sent"}
2024-02-19 07:12:26 {"timestamp": "2024-02-19T06:12:26.350481Z", "level": "DEBUG", "name": "Ransomware Connector", "message": "Bundle has been sent"}
2024-02-19 07:12:26 {"timestamp": "2024-02-19T06:12:26.355066Z", "level": "DEBUG", "name": "Ransomware Connector", "message": "Bundle has been sent"}
2024-02-19 07:12:26 {"timestamp": "2024-02-19T06:12:26.375828Z", "level": "DEBUG", "name": "Ransomware Connector", "message": "Bundle has been sent"}
2024-02-19 07:12:26 {"timestamp": "2024-02-19T06:12:26.412291Z", "level": "DEBUG", "name": "Ransomware Connector", "message": "Bundle has been sent"}
2024-02-19 07:12:26 {"timestamp": "2024-02-19T06:12:26.421248Z", "level": "DEBUG", "name": "Ransomware Connector", "message": "Bundle has been sent"}
2024-02-19 07:12:26 {"timestamp": "2024-02-19T06:12:26.441673Z", "level": "DEBUG", "name": "Ransomware Connector", "message": "Bundle has been sent"}
2024-02-19 07:12:26 {"timestamp": "2024-02-19T06:12:26.448735Z", "level": "DEBUG", "name": "Ransomware Connector", "message": "Bundle has been sent"}
2024-02-19 07:12:26 {"timestamp": "2024-02-19T06:12:26.456888Z", "level": "DEBUG", "name": "Ransomware Connector", "message": "Bundle has been sent"}
2024-02-19 07:12:26 {"timestamp": "2024-02-19T06:12:26.462989Z", "level": "DEBUG", "name": "Ransomware Connector", "message": "Bundle has been sent"}
2024-02-19 07:12:26 {"timestamp": "2024-02-19T06:12:26.468427Z", "level": "DEBUG", "name": "Ransomware Connector", "message": "Bundle has been sent"}
2024-02-19 07:12:26 {"timestamp": "2024-02-19T06:12:26.472874Z", "level": "DEBUG", "name": "Ransomware Connector", "message": "Bundle has been sent"}
2024-02-19 07:12:26 {"timestamp": "2024-02-19T06:12:26.478233Z", "level": "DEBUG", "name": "Ransomware Connector", "message": "Bundle has been sent"}
2024-02-19 07:12:26 {"timestamp": "2024-02-19T06:12:26.484967Z", "level": "DEBUG", "name": "Ransomware Connector", "message": "Bundle has been sent"}
2024-02-19 07:12:26 {"timestamp": "2024-02-19T06:12:26.490920Z", "level": "DEBUG", "name": "Ransomware Connector", "message": "Bundle has been sent"}
2024-02-19 07:12:26 {"timestamp": "2024-02-19T06:12:26.492597Z", "level": "INFO", "name": "Ransomware Connector", "message": "Ransomware Connector connector successfully run, storing last_run as 1708323145"}
2024-02-19 07:12:26 {"timestamp": "2024-02-19T06:12:26.492779Z", "level": "DEBUG", "name": "Ransomware Connector", "message": "Grabbing current state and update it with last_run: 1708323145"}
2024-02-19 07:12:26 {"timestamp": "2024-02-19T06:12:26.492950Z", "level": "INFO", "name": "api", "message": "Reporting work update_processed", "attributes": {"work_id": "work_81e92f94-cdcc-11ee-9b86-37348bc6ea51_2024-02-19T06:12:25.322Z"}}
2024-02-19 07:12:26 {"timestamp": "2024-02-19T06:12:26.534193Z", "level": "INFO", "name": "Ransomware Connector", "message": "Last_run stored, next run in: 0.08 hours"}
2024-02-19 07:12:36 {"timestamp": "2024-02-19T06:12:36.719948Z", "level": "DEBUG", "name": "Ransomware Connector", "message": "PingAlive running."}
The three lines are due to me sending empty list when there are no latest events to report and it is not specifically an issue, have you checked if the old events are in reports ? Don't worry about the error
What I can see, this entry is imported correctly; "'group_name': 'ragnarlocker', 'post_title': 'Ludwig Pfeiffer Leaked', 'post_url': '', 'published': '2021-01-26 00:00:00.000000',"
And the connector GUI says at that time; Operations completed: 16
But I can only see that entry, but after that it's importing only newly created entries (added today) from ransomware.live, no historical events. Though I've not found a good way of listing only entries imported by this connector so see exactly what's been imported, so it's a manual process trying to find the entries.
Is it possible that it's only importing the first/last entry in the list received?
If I knew how, I would modify your code to enable more debug logging to help figure this out.
I don’t think it is because we are using it in our environment, let me check
I have looked into the code, I have found the issue and resolved it. The commit has to be authorised by opencti. Thank you. Reset the connector before testing it.
I'm so grateful for the work you have done and for this connector so I almost don't dare to mention I think there is still an issue with the connector. I took your code from your master repository and updated the docker container, and now when it imports all entries the link between group and victims seems to be corrupt;
Let me check that was the issue related to historic or new ones ?. I can review it if you could tell me what is wrong the entries
Hmmm, lets see if there is a difference after it has processed all the entries;
If there is just a problem because the target object has not been created yet, or something like that.
No sorry, it's still the same on all of the them,
I ran with this setup; - CONNECTOR_CONFIDENCE_LEVEL=100 # From 0 (Unknown) to 100 (Fully trusted). - CONNECTOR_LOG_LEVEL=debug # Log level: debug, info, warn, error, fatal - CONNECTOR_UPDATE_EXISTING_DATA=true - CONNECTOR_PULL_HISTORY=true # If true, the connector will pull the history of the data. - CONNECTOR_HISTORY_START_YEAR=2020 # Data only goes back till 2020 - CONNECTOR_RUN_EVERY=300s # In seconds. # Connector's custom execution parameters: restart: always
So it should have updated existing ones if something was wrong.
I looked at for example Qilin that's the latest entry in the ransomware live site so for both new data and old data it looks like this ( same for all the others)
I am sorry, can you explain the issue please, I am unable to catch it. The connector doesn't update old data. I can see that entries match with qilin
I might be misunderstanding things, but I think this list in the lower right should not list the --stix ID but the entry's name if it was imported correctly. That happened after your last change, and before that, it was showing the target's name and not the ID.
Don't worry about the entries in the most recent history, the standard deduplication is done by opencti. only check, If you are able to see all the relavent reports in your opencti. Additionally those are just kind of logging. It all depends on how the connector is pushing stix objects. Nothing to worry
Not to necro an old issue, but it's related but can the connector (https://github.com/OpenCTI-Platform/connectors/tree/master/external-import/ransomwarelive) please be submitted to the OCTI Dockerhub as currently it appears to require local building before it can be deployed which isn't always possible.
Hello! I tryed to deploy connector and I have error
{"timestamp": "2024-03-11T14:59:03.407380Z", "level": "INFO", "name": "Ransomware Connector", "message": "Ransomware Connector connector last run: 2024-03-11 14:54:01"}
{"timestamp": "2024-03-11T14:59:03.407488Z", "level": "INFO", "name": "Ransomware Connector", "message": "Ransomware Connector will run!"}
{"timestamp": "2024-03-11T14:59:03.407556Z", "level": "INFO", "name": "api", "message": "Initiate work", "attributes": {"connector_id": "16121974-610e-4ced-ae5a-971252d70c12"}}
{"timestamp": "2024-03-11T14:59:03.739366Z", "level": "INFO", "name": "Ransomware Connector", "message": "Sending [] STIX objects to OpenCTI..."}
{"timestamp": "2024-03-11T14:59:03.741388Z", "level": "INFO", "name": "Ransomware Connector", "message": "Sending None STIX objects to OpenCTI..."}
{"timestamp": "2024-03-11T14:59:03.742007Z", "level": "ERROR", "name": "Ransomware Connector", "message": "File data is not a valid bundle", "exc_info": "Traceback (most recent call last):\n File \"/opt/connector/lib/ransomConn.py\", line 354, in run\n self.helper.send_stix2_bundle(\n File \"/usr/local/lib/python3.11/site-packages/pycti/connector/opencti_connector_helper.py\", line 1140, in send_stix2_bundle\n bundles = stix2_splitter.split_bundle(bundle, True, event_version)\n ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n File \"/usr/local/lib/python3.11/site-packages/pycti/utils/opencti_stix2_splitter.py\", line 80, in split_bundle\n raise Exception(\"File data is not a valid bundle\")\nException: File data is not a valid bundle"}
{"timestamp": "2024-03-11T14:59:03.742089Z", "level": "INFO", "name": "Ransomware Connector", "message": "Ransomware Connector connector successfully run, storing last_run as 1710169143"}
{"timestamp": "2024-03-11T14:59:03.742142Z", "level": "DEBUG", "name": "Ransomware Connector", "message": "Grabbing current state and update it with last_run: 1710169143"}
{"timestamp": "2024-03-11T14:59:03.742221Z", "level": "INFO", "name": "api", "message": "Reporting work update_processed", "attributes": {"work_id": "work_16121974-610e-4ced-ae5a-971252d70c12_2024-03-11T14:59:03.425Z"}}
{"timestamp": "2024-03-11T14:59:03.773431Z", "level": "INFO", "name": "Ransomware Connector", "message": "Last_run stored, next run in: 0.08 hours"}
{"timestamp": "2024-03-11T14:59:40.885340Z", "level": "DEBUG", "name": "Ransomware Connector", "message": "PingAlive running."}
{"timestamp": "2024-03-11T15:00:03.773808Z", "level": "INFO", "name": "Ransomware Connector", "message": "Ransomware Connector connector last run: 2024-03-11 14:59:03"}
{"timestamp": "2024-03-11T15:00:03.773928Z", "level": "INFO", "name": "Ransomware Connector", "message": "Ransomware Connector connector will not run, next run in: 0.07 hours"}
Connector worked fine only once and created many organizations. But when it was sent another information there is error.
I use repo for creating image. It runs in k8s. My env
CONNECTOR_TYPE: EXTERNAL_IMPORT
CONNECTOR_NAME: "Ransomware Connector"
CONNECTOR_SCOPE: identity,attack-pattern,course-of-action,intrusion-set,malware,tool,report
# Connector's generic execution parameters:
OPENCTI_URL: http://opencti:80
OPENCTI_TOKEN: [[REDACTED]]
CONNECTOR_ID: 16121974-610e-4ced-ae5a-971252d70c12 #Valid UUIDv4 tokem
CONNECTOR_CONFIDENCE_LEVEL: 100 # From 0 (Unknown) to 100 (Fully trusted).
CONNECTOR_LOG_LEVEL: debug # Log level: debug, info, warn, error, fatal
CONNECTOR_UPDATE_EXISTING_DATA: true
CONNECTOR_PULL_HISTORY: true # If true, the connector will pull the history of the data.
CONNECTOR_HISTORY_START_YEAR: 2020 # Data only goes back till 2020
CONNECTOR_RUN_EVERY: 300s # In seconds.
Don't worry about the error, you don't need to have the incidents all the time, when there are no incidents, it sends a blank document that is the reason. This specific issue would not cause any other issues and connector will continue to run.