Skip to main content

ReversingLabs Ransomware and Related Tools Feed

This Integration is part of the FeedReversingLabsRansomwareAndRelatedTools Pack.#

Overview#

ReversingLabs Ransomware and Related Tools Feed includes fresh indicators from not only ransomware but the tools used to gain access and deploy ransomware enabling defenders the opportunity to discover adversaries initial network access and lateral movement before their data is encrypted. Our threat intelligence researchers analyze ransomware attack trends and the security landscape to ensure that only the most up to date and relevant malware families are dissected to create technical indicators.

The user can set the initial fetch time to go historically up to 4 hours back. Each following fetch calculates the historical time dynamically by itself so no indicators are missed.

Configuring#

Upon installing the ReversingLabs Ransomware and Related Tools Feed integration, do the following:

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for ReversingLabs Ransomware and Related Tools Feed.

  3. Click Add instance to create and configure a new integration instance.

  4. After creating an instance of the integration, click on the cog icon and configure the following parameters:

    ParameterDescription
    NameA name for the integration instance.
    Fetch indicatorsIf checked, the instance fetches indicators.
    ReversingLabs TitaniumCloud URLThe host address of ReversingLabs TitaniumCloud. Default is "https://data.reversinglabs.com"
    CredentialsUsername for the ReversingLabs TitaniumCloud.
    PasswordPassword for the ReversingLabs TitaniumCloud.
    Indicator ReputationIndicators from this integration instance will be marked with this reputation. Default is "Bad".
    Source ReliabilityDefines the reliability of the source providing the intelligence data. Default is "A - Completely reliable"
    Indicator Expiration MethodThe method by which to expire indicators from this feed for this integration instance.
    Indicator Expiration IntervalHow often to expire the indicators from this integration instance expressed in minutes.
    Feed Fetch IntervalHow often to fetch indicators from the feed for this integration instance expressed in hours and minutes. Default and recommended is 1 hour.
    Bypass exclusion listWhen selected, the exclusion list is ignored for indicators from this feed. This means that if an indicator from this feed is on the exclusion list, the indicator might still be added to the system.
    First fetch timeDefines how many hours back in time should the indicators be fetched from during the first run. Value should be between 1 and 4. Recommended value is 2.
    Indicator typesWhich types of indicators should be fetched from the feed. Possible values are 'ipv4', 'domain', 'Hash', 'uri'.
    TagsTags added by the user that will be appended to the indicator tags. Tags need to be separated by a comma with no spaces.
    Traffic Light Protocol ColorThe Traffic Light Protocol (TLP) designation to apply to indicators fetched from the feed.
    Trust any certificate (not secure)If checked, the server certificate integrity will be ignored.
  5. When the parameters are configured, click "Test".

  6. If the test succeeds, click "Done" to finish configuring the instance.

Commands#

The commands in this feed integration can be executed manually from the Cortex XSOAR CLI, or as a part of an automation or a playbook.

Get indicators from the feed#

reversinglabs-get-indicators

Available arguments#

Argument NameDescriptionRequired
limitThe maximum number of indicators to return. Default is 50.Optional
indicator_typesWhich indicator types should be fetched from the feed. Possible values are 'ipv4', 'domain', 'Hash', 'uri'. The default is "ipv4,domain,Hash".Optional
hours_backDefines how many hours hours back in time should the indicators be fetched from. Value should be between 1 and 4. Recommended value is 1.Optional

Context and readable output#

Depending on the indicator type and each specific indicator, context and readable output can have varying data fields. Full available list of output fields is the following:

FieldType
Indicator ValueString
Indicator TypeString
Days ValidInteger
ConfidenceInteger
RatingDecimal
Indicator TagsObject
Last UpdateTimestamp
DeletedBoolean
HashObject

Indicator Tags object

FieldType
portString
malwareTypeString
lifecycleStageString
malwareFamilyNameString
sourceString
mitreList
ProtocolString

Hash object

FieldType
sha1String
md5String
sha256String

Context prefix#

ReversingLabs.indicators

Command example#

!reversinglabs-get-indicators limit="40" indicator_types="ipv4,Hash" hours_back="2"