CORE FEATURES
Identifiers
Configure Identifiers - Advanced
4min
Identifiers can be configured to help achieve certain specific use cases. This page details these advanced configuration options.
Many ransomware groups list their victims and ransom requests on their blogs and website. You can be notified of new ransomware victims across all group websites and blogs by creating the following identifier:
- Open the Create identifier page
- Enter a name such as Ransomware victims
- Choose the Query type
- Enter * as the query
- Unselect all categories except the Ransom Leaks subcategory (in the Illicit Networks category)
- Add a daily alert to get a list of new victims in your inbox every morning.
- If you'd like to get new victims only for a certain area, you can enter a region instead of a wildcard. Any victim listing mentioning that region will trigger an alert. Examples include US OR USA OR "United States"for American victims or NJ OR "New Jersey" for a specific state.
- If you'd like more real-time monitoring, set the alert to "As soon as possible". Note that you may receive multiple alerts per day
- If you want to monitor for a specific organization, for example in the case where you are aware of an ongoing attack and want to be rapidly informed when the victim is listed on the page, enter the name of the organization as the query instead of a wildcard. Include the domain name, and name variations to make sure to match how the ransomware group may describe the victim. An example would be scatterholt OR scatterholt.com OR "scatter holt" .
- If you want to monitor for a specific ransomware group, head over to the Collection page, find the group you are interested in (for example Avos Locker) and click on the name. This will bring you to a search where you can see the exact query to use to filter for that group. (metadata.source:"avoslocker" in the case of Avos Locker). Copy this string and use it instead of * in your Query identifier.
Did this page help you?