[Ransomwarelive] ingests victims with asterisks in the title

[fwuest]

Use case

I would like the Ransomwarelive connector to only ingest victims, that are final and not victims that are listed with an asterisk in the title.

Current Workaround

Delete any reports and victims with an asterisk in the title.

Proposed Solution

Modify the code, perhaps like this (See section - Skip processing if the victim name contains an asterisk in the title):

# Creating Victim object
        post_title = item.get("post_title")

        # Skip processing if the victim name contains an asterisk in the title
        if '*' in post_title:
            self.helper.log_info(f"Skipping victim '{post_title}' because it contains an asterisk.")
            return None

        victim_name, identity_class = (
            (post_title, "organization")
            if len(post_title) > 2
            else ((post_title + ":<)"), "individual")
        )
        victim = Identity(
            id=pycti.Identity.generate_id(victim_name, identity_class.capitalize()),
            name=victim_name,
            identity_class=identity_class,
            type="identity",
            created_by_ref=self.author.get("id"),
            object_marking_refs=[self.marking.get("id")],
        )

Additional Information

I have edited the code and built a docker image for testing in my environment. OpenCTI version 6.3.6

If the feature request is approved, would you be willing to submit a PR?

Yes, but Help would be required and some assistance for submitting a PR would be greatly appreciated.

[sudesh0sudesh]

@fwuest I don't mind changing the code, but the problem is you can't really depend on threat actors putting an asterisk. They could put it in the legitimate compromised victim's name too.
We have to remember most of the data is being scraped from ransomware sites and you have to expect some inconsistencies.
I can't justify using the asterisk as a solution - is there perhaps a better approach we could consider?

[fwuest]

@sudesh0sudesh I checked the data on Ransomware.live. And there may be victims that are only partially listed with asterisks/wildcards as well as Question marks.

TL;DR: Current implementation does not sanitize or handle special characters in victim names.

Explanation of my use case:

As per my understanding it is not possible to register a company name with a "*" or a "?" in the title. Threat actors that post these companies do this to pressure the companies to pay or extort the victims for money. But if we ingest the data, we do not know whether the data is actually true or what the name of the victim is, it should not be ingested.

I believe Threat Intel Information needs to be actionable. If the victim is obfuscated with an "*" or a "?" the data in my opinion should not be ingested and not be attributed. Especially since the data will not be sanitized in a later run.

If we have for example an arbitrary victim D*** S******** reported by a ransomware group with an incomplete name that is not being fully disclosed to extort and further pressure the victim and we ingest this data into OpenCTI. What will happen when at a later stage the victims data is being fully disclosed and the victim is let us say Data Solutions? Will the original record with the "*" or "?" be modified and appended / updated and sanitized with the new Information? As far as I know, it will not be modified and a new victim / report with the full data will be created and the other victim with the incomplete data, will be an orphaned not properly attributable record, correct?

FYI: I have a running connector with modified code that I am currently testing where I solved this issue as well as code that deals with activity/sectors being empty, blank or Not Found.