A Model Context Protocol (MCP) server that provides real-time ransomware victim monitoring through the Ransomware.live API. This server enables AI agents to access comprehensive ransomware threat intelligence data including victim information, group details, and attack trends.
- get_api_info: Get basic API metadata and information
- get_recent_victims: Get the latest disclosed ransomware victims
- get_group_info: Get detailed information about a specific ransomware group
- get_all_groups: Get a list of all known ransomware groups
- get_all_cyberattacks: Get all known cyberattacks
- get_recent_cyberattacks: Get recently added cyberattacks
- get_group_victims: Get all victims claimed by a specific ransomware group
- search_victims: Search for victims by keyword
- get_country_attacks: Get cyberattacks for a specific country
- get_country_victims: Get victims from a specific country
- get_victims_by_date: Get victims by specific year and month
- get_sector_victims: Get victims from a specific business sector
- get_cert_contacts: Get national CERT contact information for a country
- get_yara_rules: Get YARA rules associated with a ransomware group
- ransomware://api/info: Basic information about the Ransomware.live API
- ransomware://victims/recent: Most recently disclosed ransomware victims
- ransomware://groups/all: Complete list of all known ransomware groups
- ransomware://attacks/recent: Recently added cyberattacks
- Clone or download this MCP server
- Install dependencies:
npm install- Build the server:
npm run buildAdd the server config to your claude_desktop_config.json:
{
"mcpServers": {
"ransomware-live": {
"command": "node",
"args": ["/path/to/ransomware-live-server/build/index.js"]
}
}
}The server can be started with:
npm startOr run directly:
node build/index.jsThis server uses the Ransomware.live API v2 which provides:
- Provider: Julien Mousqueton
- Authentication: Free tier available (no API key required)
- Base URL: https://api.ransomware.live/v2
- Documentation: Available at GitHub
victim: Company/organization namegroup: Ransomware group responsibleattackdate: Date of attack (if known)country: Country code (ISO-2)sector: Business sectorwebsite: Victim's websitedescription: Additional detailspress: Related press coverageupdates: Status updates
name: Group namedescription: Group descriptionlocations: Operating locationscountries: Target countriesprofile: Group profile informationcaptive: Has captive payment siteparser: Has automated parser
id: Attack identifiervictim: Target organizationgroup: Responsible groupdate: Attack datecountry: Target countrysector: Target sectordescription: Attack details
// Get last 10 victims
{
"tool": "get_recent_victims",
"arguments": {
"limit": 10
}
}// Search for victims containing "hospital"
{
"tool": "search_victims",
"arguments": {
"keyword": "hospital",
"limit": 20
}
}// Get info about LockBit group
{
"tool": "get_group_info",
"arguments": {
"group": "lockbit"
}
}// Get victims from Germany
{
"tool": "get_country_victims",
"arguments": {
"countryCode": "DE"
}
}// Get healthcare sector victims
{
"tool": "get_sector_victims",
"arguments": {
"sector": "Healthcare",
"countryCode": "US"
}
}The server includes comprehensive error handling for:
- Invalid API responses
- Network connectivity issues
- Malformed requests
- Rate limiting (if applicable)
- Missing or invalid parameters
The Ransomware.live API is free but may have rate limits. The server includes a 30-second timeout for requests and uses appropriate User-Agent headers.
- Threat Intelligence: Monitor recent ransomware activity
- Risk Assessment: Analyze sector-specific attack trends
- Incident Response: Research specific ransomware groups
- Compliance Reporting: Track regional attack patterns
- Security Research: Access YARA rules and IOCs
- CERT Coordination: Find national CERT contacts
npm run devnpm run buildWe provide multiple comprehensive test suites:
node simple-test.cjsnode test-all-tools.cjsnode final-test-for-readme.cjsAll 14 tools have been thoroughly tested and verified working:
-
get_api_info β
- Duration: ~0.4s
- Returns: API metadata and current update status
- Sample:
2025-07-22T20:17:06.022697+00:00
-
get_recent_victims β
- Duration: ~0.1s
- Returns: Latest ransomware victims with full details
- Sample:
blueridgesl.com(SafePay ransomware, US)
-
get_group_info β
- Duration: ~0.2s
- Returns: Detailed ransomware group intelligence
- Sample: LockBit group with 9 detailed properties
-
get_all_cyberattacks β (with limit)
- Duration: ~0.3s
- Returns: Comprehensive attack database
- Sample: Kannapolis city attack
-
get_recent_cyberattacks β
- Duration: ~0.2s
- Returns: Most recent attack additions
- Real-time threat intelligence data
-
get_group_victims β
- Duration: ~0.4s
- Returns: Group-specific victim lists
- Sample: Bangkok Airways (LockBit victim)
-
search_victims β
- Duration: ~0.3s
- Returns: Keyword-filtered victim searches
- Sample: Hospital search returns
Anadolu Hastaneleri(DireWolf)
-
get_cert_contacts β
- Duration: ~0.2s
- Returns: National CERT contact databases
- Sample: 109 US CERT contacts
-
get_yara_rules β
- Duration: ~0.1s
- Returns: Malware detection rules
- Sample: LockBit YARA signatures
-
get_all_groups β
- Duration: ~45s
- Returns: Complete ransomware group database
- Dataset: 275+ known ransomware groups
-
get_country_attacks β
- Duration: ~30s
- Returns: Country-specific attack data
- Sample: Germany's complete attack history
-
get_country_victims β
- Duration: ~35s
- Returns: National victim databases
- Dataset: 5,365+ US victims, 800+ German victims
-
get_victims_by_date β
- Duration: ~25s
- Returns: Time-based victim analysis
- Sample: December 2024 victim surge data
-
get_sector_victims β
- Duration: ~40s
- Returns: Industry-specific threat intelligence
- Sample: Healthcare sector with hundreds of victims
- Success Rate: 100% (14/14 tools working)
- API Connectivity: β Confirmed live data access
- Real-time Data: β Current as of 2025-07-22T20:17:06
- Large Datasets: β Handles 5,000+ victim records
- Timeout Handling: β Optimized for large responses (2+ minutes)
- Recent Victims: blueridgesl.com, Bangkok Airways, Anadolu Hastaneleri
- Active Groups: LockBit, SafePay, DireWolf, and 272+ others
- Geographic Coverage: US (5,365+ victims), Germany (800+ victims)
- Sector Analysis: Healthcare, Finance, Manufacturing, Government
- CERT Contacts: 109 US emergency response contacts
- Detection Rules: Current YARA signatures for major families
- Timeout Optimization: Extended to 2+ minutes for large datasets
- Memory Handling: Support for 50MB+ API responses
- Error Handling: Comprehensive validation and graceful degradation
- Rate Limiting: Built-in delays between API calls
- Performance Monitoring: Detailed timing and response analysis
All data is provided by Ransomware.live, which aggregates information from:
- Ransomware group leak sites
- Threat intelligence feeds
- Public security reports
- CERT advisories
- News sources
- This data is for legitimate security research and defense purposes
- Comply with applicable laws and regulations
- Respect rate limits and API terms of service
- Use responsibly for threat hunting and incident response
- Do not use for malicious purposes
Contributions welcome! Please submit issues and pull requests for:
- Bug fixes
- Feature enhancements
- Documentation improvements
- API endpoint additions
MIT License - see LICENSE file for details.
For issues with this MCP server:
- Create GitHub issues
- Submit pull requests
- Contact via MCP community channels
For Ransomware.live API issues:
- Visit the official repository
- Contact the API maintainers directly