Author: Raymond DePalma | Companion to the SANS Ransomware Intelligence Webinar
Automated threat intelligence pipelines that continuously monitor ransomware leak sites, run AI-powered analysis, and deliver rich interactive reports — to Slack, Google Docs, and email.
| Level | File | LLM | Key Capabilities | Visibility |
|---|---|---|---|---|
| 101 | 101_ransomware_threat_monitor.json |
Claude Sonnet | Monitor → AI analysis → HTML + Slack report | ✅ Public |
| 101 (Ollama) | 101_ransomware_threat_monitor_ollama.json |
Ollama (local) | Same as 101, fully local — no API costs | ✅ Public |
| 200 | 200_ransomware_intel_advanced.json |
Claude Sonnet | + IOC enrichment, YARA rules, historical trending, email + JIRA | ✅ Public |
| 200 (Ollama) | 200_ransomware_intel_advanced_ollama.json |
Ollama (local) | Same as 200, fully local | ✅ Public |
Import, activate, and within minutes you get a full dark-themed threat intelligence brief:
- 8 KPI cards — Active groups, total victims, countries, industries, time-to-encrypt, victims/day, double extortion rate, composite risk score
- MITRE ATT&CK table — Observed TTPs with technique IDs, tactic phases, and severity badges
- 5 Chart.js charts — Geographic doughnut, industry doughnut, TTP severity polar area, group comparison, risk radar
- Attack lifecycle visualization — 6-step colored flow (Initial Access → Execution → Priv Esc → Lateral Mvmt → Exfiltration → Impact)
- Group profile cards — Per-actor victim breakdown with individual industry charts
- Slack alert — Concise threat summary with group and victim stats
- Google Doc — Full markdown brief (optional)
For the Claude version (101/200):
- n8n instance — self-hosted or cloud
- Anthropic API key
- Slack webhook URL
- Google Docs OAuth (optional)
For the Ollama version (101/200):
- n8n instance
- Ollama running locally —
ollama serve - A compatible model pulled —
ollama pull llama3.1 - Slack webhook URL
Compatible Ollama models: llama3.1 (recommended), mistral, gemma2, qwen2.5
For the 200 level (additional):
- VirusTotal API key (free tier: 500 req/day)
- AbuseIPDB API key (free tier available)
- SMTP/SendGrid for email delivery
- JIRA credentials (optional)
Note: The
ransomware.liveAPI is completely free and requires no authentication.
This repository includes a Mock API Server (mock_api/) that simulates the ransomware.live feed — ideal for webinars or offline demos. See mock_api/README.md.
- Download
n8n_workflows/101_ransomware_threat_monitor.json - Import into n8n (Workflows → Add Workflow → Import from File)
- Configure credentials: Anthropic API key, Slack webhook, Google Docs OAuth
- Customize the
Filter by Industrynode with your target sectors - Activate and trigger manually to test
- Start Ollama and pull a model:
ollama pull llama3.1 - Download
n8n_workflows/101_ransomware_threat_monitor_ollama.json - Import into n8n
- Configure Slack webhook
- The Ollama node connects to
http://localhost:11434by default — no API key needed
Use 101_ransomware_threat_monitor_DEMO.json with the included mock_api/ server for live demos without connecting to real threat feeds.
Schedule (6h) → Fetch Victims API → Redact Identities → Filter by Industry
→ Deduplicate by Group → Fetch Group Profiles → Build Consolidated Brief
→ AI Threat Analysis (Claude / Ollama) → Enhance Brief
→ Output HTML File + Slack Alert + Google Doc
See the examples/ directory:
- HTML Report — Full interactive report with Chart.js charts, open in any browser
- Markdown Report — Full brief with Mermaid diagrams and MITRE mapping
- Slack Alert — Concise channel notification
CC BY-NC 4.0 — Free for educational and defensive use with attribution. Commercial use prohibited.
Disclaimer: This workflow connects to real-world threat feeds. Handle intelligence reports with appropriate OPSEC.