API Documentation

Overview

The Ransomware Monitor API provides JSON access to all tracked data. All endpoints return JSON and accept standard query parameters for filtering and pagination.

Base URL

https://your-domain.com/api/

Authentication

No authentication required for read-only access. Rate limiting applies: 100 requests per minute per IP.

Response Format

{
    "status": "ok",
    "count": 100,
    "data": [ ... ],
    "meta": {
        "page": 1,
        "per_page": 50,
        "total": 5000,
        "pages": 100
    }
}

Common Parameters

Parameter	Type	Description
page	int	Page number (default: 1)
per_page	int	Results per page (default: 50, max: 500)
sort	string	Sort field
order	string	Sort order: asc or desc

Victims

GET /api/victims

List all victims with optional filtering.

Parameter	Description
group	Filter by group name
country	Filter by country code (e.g., US, GB)
sector	Filter by sector
date_from	Start date (YYYY-MM-DD)
date_to	End date (YYYY-MM-DD)

GET /api/victims?group=lockbit&country=US&page=1&per_page=20

GET /api/victims/recent

Get the most recent victims (last 20).

GET /api/victims/recent?limit=20

GET /api/victims/{id}

Get details for a specific victim by ID.

Groups

GET /api/groups

List all tracked ransomware groups.

Parameter	Description
status	Filter by status: active, inactive, defunct

GET /api/groups?status=active

GET /api/groups/{id}

Get detailed information about a specific group including onion URLs, TTPs, and stats.

GET /api/groups/{id}/victims

Get all victims for a specific group.

Statistics

GET /api/stats/top-groups

Top 10 groups by victim count. Returns labels and values arrays.

GET /api/stats/monthly

Monthly victim counts grouped by year.

GET /api/stats/cumulative

Cumulative victim count over time.

GET /api/stats/sectors

Top targeted sectors with victim counts.

GET /api/stats/countries

Top targeted countries with victim counts.

GET /api/stats/countries-map

Country code to victim count mapping for world map visualization.

News

GET /api/news

List cybersecurity news articles.

Parameter	Description
source	Filter by news source

YARA Rules

GET /api/yara-rules

List all YARA rules, optionally filtered by group.

Parameter	Description
group	Filter by group name

TTPs

GET /api/ttps

List all MITRE ATT&CK techniques used by tracked groups.

Parameter	Description
tactic	Filter by tactic name
group	Filter by group name

IoCs

GET /api/iocs

List all indicators of compromise.

Parameter	Description
type	Filter by type: hash, ip, domain, url, email
group	Filter by group name

Ransom Notes

GET /api/ransom-notes

List all ransom notes, optionally filtered by group.

Search

GET /api/search

Search across all data types.

Parameter	Description
q	Search query (required)

GET /api/search?q=lockbit

Response includes separate arrays for victims, groups, and news matches.