Skip to main content

Ransomware Indicators TAXII Feeds (TCTF-0001 + TCTF-0002)

This page provides an overview of the ReversingLabs Ransomware Indicators Feed (TCTF-0001) and the Ransomware Indicators Lite Feed (TFTF-0002), collectively referred to as the “ransomware feed” throughout this page.

The ransomware feed is purpose-built to focus exclusively on ransomware-related malware and its associated network activity. Backed by one of the largest malware processing pipelines in the industry handling approximately 20 million samples per day, we identify and extract high-confidence IOCs specifically tied to ransomware campaigns.

Each day, relevant ransomware samples are filtered from the broader malware pool. File and network metadata is enriched through both static and dynamic analysis, resulting in a curated feed that includes:

  • Ransomware-associated files
  • Command-and-control (C2) infrastructure (extracted from malware configurations)
  • Payload delivery URLs

Only indicators verified as malicious with high confidence are included, significantly reducing false positives compared to broader feeds.

To provide meaningful context, each IOC is linked to threat names, malware families, attack stages, MITRE ATT&CK techniques, and threat actor associations. This enrichment helps analysts understand why an IOC matters.

Given the rapid deployment of ransomware by human operators, often within hours of initial access, timeliness is critical. Over 50% of our IOCs are published within an hour of first observation, ensuring relevance for proactive defense and detection, not just post-incident response.

Full vs. Lite

The Full version is our premium feed, designed for mature security teams that require comprehensive visibility into ransomware activity. It includes the complete set of curated indicators derived from our advanced static and dynamic malware analysis pipeline.

The Lite version is a cost-effective, introductory offering that provides a subset of the intelligence available in the Full version. It’s ideal for organizations that are:

  • Evaluating ransomware threat intelligence feeds before full integration.
  • Developing and testing ingestion pipelines or enrichment engines.
  • Operating with limited budgets but seeking early threat detection capabilities.

Integrations

The ReversingLabs Ransomware Indicators TAXII Feeds have been tested to work with many of the most popular SIEM, SOAR, and TIP platforms that support ingestion of STIX/TAXI 2.1 objects. Check out our integrations documentation for additional examples.

RL-Specific Properties

Name

Currently, each indicator is given a name that matches the entity type prefixed with “Malware”, e.g. “Malware IP”, “Malware Domain”.

NOTE

Due to feedback from customers, we are actively working on replacing the existing name value with the actual indicator value.

External References

All MITRE ATT&CK techniques associated with the indicator are linked in the external references object.

Labels

Labels to help describe the indicator such as threat names, malware families, attack stages, MITRE ATT&CK techniques, and threat actor associations.

Kill Chain

ReversingLabs describes three stages of a ransomware attack. These are represented in the kill chain property, as well as the labels:

  • Early Stage: Indicators for ports, payload links, and other early-stage IoCs.
  • Middle Stage: Lateral progression within the organization.
  • Late Stage: Expansion, entrenchment, extortion, encryption, and exfiltration happen in late-stage ransomware attacks.

Ransomware Indicators Feed Query

API Root Discovery Query

Request format

GET api/taxii/ransomware-api-root/

Path parameters:

  • ransomware-api-root
    • The endpoint to retrieve the API root for the Ransomware Indicators Feed.

Response format

{
  "description": "ReversingLabs ransomware data.",
  "title": "ReversingLabs ransomware STIX 2.1 Collections",
  "max_content_length": 999765625,
  "versions": [
    "application/taxii+json;version=2.1"
  ]
}

List Available Collections Query

Request format

GET api/taxii/ransomware-api-root/collections/

Path parameters:

  • collections
    • The endpoint to retrieve the list of collections available in the feed.

Response

{
  "collections": [
    {
      "id": "f0997a32-b823-562d-9856-c754ac5e1159",
      "title": "ReversingLabs Ransomware Collection",
      "can_write": false,
      "can_read": true,
      "media_types": [
        "application/stix+json;version=2.1"
      ]
    }
  ]
}

Poll for Objects Query

Request format

GET api/taxii/ransomware-api-root/collections/{collection_id}/objects

Path parameters:

  • collections
    • The endpoint to retrieve the list of collections available in the feed.
  • collection_id
    • The endpoint to retrieve the objects in the specified collection.
  • objects
    • The endpoint to retrieve the objects in the specified collection.

Query parameters:

  • added_after
    • A timestamp in RFC 3339 format to retrieve all objects after the specified timestamp.
  • limit
    • Limit the number of objects returned in the response. Range: 1 - 500
  • match[type]
  • next
    • A string value indicating the next record or set of records in the dataset.

Response format

{
  "more": true,
  "next": "17562276",
  "objects": [
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--dd2207cb-7e85-54a5-99ef-0b952b340435",
      "created": "2025-05-12T00:12:50Z",
      "modified": "2025-05-12T00:12:50Z",
      "valid_from": "2025-05-12T00:12:50Z",
      "valid_until": "2025-06-11T00:12:50Z",
      "created_by_ref": "identity--ef2a68d1-a8d2-5cb4-973d-1b9e0858c41e",
      "name": "Malware File",
      "description": "Malware file activity was observed",
      "confidence": 100,
      "indicator_types": [
        "malicious-activity"
      ],
      "pattern_type": "stix",
      "pattern": "[file:hashes.'SHA-1' = '30b1966606279762fc1703e68d3f4313a94252cb' OR file:hashes.'MD5' = '01d2a7062d6330c7fc4c3d071a75374d' OR file:hashes.'SHA-256' = 'f98f5d21a7643cbd273a69823873a3e8332fe3ad6da68bcd4ff8ad55b356ddbd']",
      "labels": [
        "ReversingLabs",
        "34634",
        "PE/Exe/cpTinyGiant",
        "Zbot",
        "Trojan",
        "Early"
      ],
      "external_references": [
        {
          "source_name": "mitre",
          "external_id": "T1018",
          "description": "Remote System Discovery",
          "url": "https://attack.mitre.org/techniques/T1018/"
        },
        {
          "source_name": "mitre",
          "external_id": "T1027",
          "description": "Obfuscated Files or Information",
          "url": "https://attack.mitre.org/techniques/T1027/"
        }
      ],
      "kill_chain_phases": [
        {
          "kill_chain_name": "rl-ransomware-kill-chain",
          "phase_name": "early"
        }
      ],
      "revoked": false
    }
  ]
}

Ransomware Indicators Lite Feed Query

API Root Discovery Query

Request format

GET api/taxii/ransomware-lite/

Path parameters:

  • ransomware-lite
    • The endpoint to retrieve the API root for the Ransomware Indicators Lite Feed.

Response format

{
  "description": "ReversingLabs ransomware data.",
  "title": "ReversingLabs ransomware STIX 2.1 Collections",
  "max_content_length": 999765625,
  "versions": [
    "application/taxii+json;version=2.1"
  ]
}

List Available Collections Query

Request format

GET api/taxii/ransomware-lite/collections/

Path parameters:

  • collections
    • The endpoint to retrieve the list of collections available in the Lite feed.

Response format

{
  "collections": [
    {
      "id": "f0997a32-b823-562d-9856-c754ac5e1159",
      "title": "ReversingLabs Ransomware Collection",
      "can_write": false,
      "can_read": true,
      "media_types": [
        "application/stix+json;version=2.1"
      ]
    }
  ]
}

Poll for Objects Query

Request format

GET api/taxii/ransomware-lite/collections/{collection_id}/objects

Path parameters:

  • collections
    • The endpoint to retrieve the list of collections available in the Lite feed.
  • collection_id
    • The endpoint to retrieve the objects in the specified collection.
  • objects
    • The endpoint to retrieve the objects in the specified collection.

Query parameters:

  • added_after
    • A timestamp in RFC 3339 format to retrieve all objects after the specified timestamp.
  • limit
    • Limit the number of objects returned in the response. Range: 1 - 500
  • match[type]
  • next
    • A string value indicating the next record or set of records in the dataset.

Response format

{
  "more": true,
  "next": "17562276",
  "objects": [
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--dd2207cb-7e85-54a5-99ef-0b952b340435",
      "created": "2025-05-12T00:12:50Z",
      "modified": "2025-05-12T00:12:50Z",
      "valid_from": "2025-05-12T00:12:50Z",
      "valid_until": "2025-06-11T00:12:50Z",
      "created_by_ref": "identity--ef2a68d1-a8d2-5cb4-973d-1b9e0858c41e",
      "name": "Malware File",
      "description": "Malware file activity was observed",
      "confidence": 100,
      "indicator_types": [
        "malicious-activity"
      ],
      "pattern_type": "stix",
      "pattern": "[file:hashes.'SHA-1' = '30b1966606279762fc1703e68d3f4313a94252cb' OR file:hashes.'MD5' = '01d2a7062d6330c7fc4c3d071a75374d' OR file:hashes.'SHA-256' = 'f98f5d21a7643cbd273a69823873a3e8332fe3ad6da68bcd4ff8ad55b356ddbd']",
      "labels": [
        "ReversingLabs",
        "34634",
        "PE/Exe/cpTinyGiant",
        "Zbot",
        "Trojan",
        "Early"
      ],
      "external_references": [
        {
          "source_name": "mitre",
          "external_id": "T1018",
          "description": "Remote System Discovery",
          "url": "https://attack.mitre.org/techniques/T1018/"
        },
        {
          "source_name": "mitre",
          "external_id": "T1027",
          "description": "Obfuscated Files or Information",
          "url": "https://attack.mitre.org/techniques/T1027/"
        }
      ],
      "kill_chain_phases": [
        {
          "kill_chain_name": "rl-ransomware-kill-chain",
          "phase_name": "early"
        }
      ],
      "revoked": false
    }
  ]
}

Examples

API Root Discovery

Request

curl -u "username:password" https://data.reversinglabs.com/api/taxii/ransomware-api-root/ -H "accept: application/taxii+json;version=2.1"

Response

{
  "description": "ReversingLabs ransomware data.",
  "title": "ReversingLabs ransomware STIX 2.1 Collections",
  "max_content_length": 999765625,
  "versions": [
    "application/taxii+json;version=2.1"
  ]
}

List Available Collections

Request

curl -u "username:password" https://data.reversinglabs.com/api/taxii/ransomware-api-root/collections/ -H "accept: application/taxii+json;version=2.1"

Response

{
  "collections": [
    {
      "id": "f0997a32-b823-562d-9856-c754ac5e1159",
      "title": "Reversinglabs Ransomware Collection",
      "can_write": false,
      "can_read": true,
      "media_types": [
        "application/stix+json;version=2.1"
      ]
    }
  ]
}

Poll for Objects

Request

curl -u "username:password" https://data.reversinglabs.com/api/taxii/ransomware-api-root/collections/f0997a32-b823-562d-9856-c754ac5e1159/objects/ -H "accept: application/taxii+json;version=2.1"
Response
{
  "more": true,
  "next": "17562276",
  "objects": [
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--dd2207cb-7e85-54a5-99ef-0b952b340435",
      "created": "2025-05-12T00:12:50Z",
      "modified": "2025-05-12T00:12:50Z",
      "valid_from": "2025-05-12T00:12:50Z",
      "valid_until": "2025-06-11T00:12:50Z",
      "created_by_ref": "identity--ef2a68d1-a8d2-5cb4-973d-1b9e0858c41e",
      "name": "Malware File",
      "description": "Malware file activity was observed",
      "confidence": 100,
      "indicator_types": [
        "malicious-activity"
      ],
      "pattern_type": "stix",
      "pattern": "[file:hashes.'SHA-1' = '30b1966606279762fc1703e68d3f4313a94252cb' OR file:hashes.'MD5' = '01d2a7062d6330c7fc4c3d071a75374d' OR file:hashes.'SHA-256' = 'f98f5d21a7643cbd273a69823873a3e8332fe3ad6da68bcd4ff8ad55b356ddbd']",
      "labels": [
        "ReversingLabs",
        "34634",
        "PE/Exe/cpTinyGiant",
        "Zbot",
        "Trojan",
        "Early"
      ],
      "external_references": [
        {
          "source_name": "mitre",
          "external_id": "T1018",
          "description": "Remote System Discovery",
          "url": "https://attack.mitre.org/techniques/T1018/"
        },
        {
          "source_name": "mitre",
          "external_id": "T1027",
          "description": "Obfuscated Files or Information",
          "url": "https://attack.mitre.org/techniques/T1027/"
        }
      ],
      "kill_chain_phases": [
        {
          "kill_chain_name": "rl-ransomware-kill-chain",
          "phase_name": "early"
        }
      ],
      "revoked": false
    }
  ]
}

Filter by timestamp

Request

Use the added_after parameter to retrieve all objects after the specified timestamp. The timestamp must be a RFC 3339-formatted timestamp using the format: YYYY-MM-DDTHH:MM:SS.ssssssZ.

curl -u "username:password" https://data.reversinglabs.com/api/taxii/ransomware-api-root/collections/f0997a32-b823-562d-9856-c754ac5e1159/objects/?added_after=2025-05-12T00:00:00.000000Z -H "accept: application/taxii+json;version=2.1"

Limit Returned Objects

Request

Use the limit query parameter to retrieve a specified number of objects.

curl -u "username:password" https://data.reversinglabs.com/api/taxii/ransomware-api-root/collections/f0997a32-b823-562d-9856-c754ac5e1159/objects/?limit=5 -H "accept: application/taxii+json;version=2.1"

Matching

Use the match[type] query parameter to filter objects by type.

Request

curl -u "username:password" https://data.reversinglabs.com/api/taxii/ransomware-api-root/collections/f0997a32-b823-562d-9856-c754ac5e1159/objects/?match[type]=indicator,malware,threat-actor -H "accept: application/taxii+json;version=2.1"

Paging

Request 1

Make the first request using the limit query filter.

curl -u "username:password" https://data.reversinglabs.com/api/taxii/ransomware-api-root/collections/f0997a32-b823-562d-9856-c754ac5e1159/objects/?limit=5 -H "accept: application/taxii+json;version=2.1"

Response

The response should return a more property with a boolean value, where true indicates more objects available. The value ofthe next property is used for the subsequent request.

{
  "more": true,
  "next": "17562276",
  "objects": []
}

Request 2

Make the second request using the next query filter with the value returned in the previous response.

curl -u "username:password" https://data.reversinglabs.com/api/taxii/ransomware-api-root/collections/f0997a32-b823-562d-9856-c754ac5e1159/objects/?next=17562276 -H "accept: application/taxii+json;version=2.1"

Error Handling

All errors are returned in the TAXII 2.1 standard format. For more details, view the official TAXII error handling page.

Example Response

{
  "description": "Unknown filter count encountered",
  "http_status": "400",
  "title": "ProcessingError"
}

Appendix A: Expected STIX Fields

FieldDescriptionExample Value
typeSpecifies the type of the STIX Object. For Indicators, this MUST be ‘indicator’.indicator
spec_versionThe STIX specification version used to represent this object.2.1
idA unique identifier for this object, following the format indicator--UUID.indicator--dd2207cb-7e85-54a5-99ef-0b952b340435
createdThe time at which this object was originally created.2025-05-12T00:12:50Z
modifiedThe time that this particular version of the object was last modified.2025-05-12T00:12:50Z
valid_fromThe time from which this Indicator is considered valid.2025-05-12T00:12:50Z
valid_untilThe time at which this Indicator should no longer be considered valid.2025-06-11T00:12:50Z
created_by_refSpecifies the ID of the Identity object that describes the entity that created this object.identity--ef2a68d1-a8d2-5cb4-973d-1b9e0858c41e
nameA name used to identify the Indicator.Malware File
descriptionA description that provides more details and context about the Indicator.Malware file activity was observed
confidenceA value between 0 and 100 that describes the confidence in the correctness of the data contained within this object.100
indicator_typesSpecifies the type of indicator. For example, malicious-activity, anomalous-activity, etc.malicious-activity
pattern_typeSpecifies the type of pattern used. Common values include stix, snort, yara, etc.stix
patternThe detection pattern for the Indicator, expressed in the language defined by pattern_type.[file:hashes.'SHA-1' = '30b1966606279762fc1703e68d3f4313a94252cb' OR file:hashes.'MD5' = '01d2a7062d6330c7fc4c3d071a75374d' OR file:hashes.'SHA-256' = 'f98f5d21a7643cbd273a69823873a3e8332fe3ad6da68bcd4ff8ad55b356ddbd']
labelsA set of labels applicable to this Indicator, providing additional context or metadata.ReversingLabs, 34634, PE/Exe/cpTinyGiant, Zbot, Trojan, Early
external_referencesA list of external references that describe where this Indicator originated from or additional information.{"source_name": "mitre", "external_id": "T1018", "description": "Remote System Discovery", "url": "https://attack.mitre.org/techniques/T1018/"}
kill_chain_phasesSpecifies the phase of the kill chain that this Indicator is associated with.rl-ransomware-kill-chain: early
revokedIndicates whether this object has been revoked.false
moreIndicates if there are more objects available in the response.true
nextA token that can be used to retrieve the next set of objects in a paginated response.17562276