Ransomware Indicators TAXII Feeds (TCTF-0001 + TCTF-0002)
This page provides an overview of the ReversingLabs Ransomware Indicators Feed (TCTF-0001) and the Ransomware Indicators Lite Feed (TFTF-0002), collectively referred to as the “ransomware feed” throughout this page.
The ransomware feed is purpose-built to focus exclusively on ransomware-related malware and its associated network activity. Backed by one of the largest malware processing pipelines in the industry handling approximately 20 million samples per day, we identify and extract high-confidence IOCs specifically tied to ransomware campaigns.
Each day, relevant ransomware samples are filtered from the broader malware pool. File and network metadata is enriched through both static and dynamic analysis, resulting in a curated feed that includes:
- Ransomware-associated files
- Command-and-control (C2) infrastructure (extracted from malware configurations)
- Payload delivery URLs
Only indicators verified as malicious with high confidence are included, significantly reducing false positives compared to broader feeds.
To provide meaningful context, each IOC is linked to threat names, malware families, attack stages, MITRE ATT&CK techniques, and threat actor associations. This enrichment helps analysts understand why an IOC matters.
Given the rapid deployment of ransomware by human operators, often within hours of initial access, timeliness is critical. Over 50% of our IOCs are published within an hour of first observation, ensuring relevance for proactive defense and detection, not just post-incident response.
Full vs. Lite
The Full version is our premium feed, designed for mature security teams that require comprehensive visibility into ransomware activity. It includes the complete set of curated indicators derived from our advanced static and dynamic malware analysis pipeline.
The Lite version is a cost-effective, introductory offering that provides a subset of the intelligence available in the Full version. It’s ideal for organizations that are:
- Evaluating ransomware threat intelligence feeds before full integration.
- Developing and testing ingestion pipelines or enrichment engines.
- Operating with limited budgets but seeking early threat detection capabilities.
Integrations
The ReversingLabs Ransomware Indicators TAXII Feeds have been tested to work with many of the most popular SIEM, SOAR, and TIP platforms that support ingestion of STIX/TAXI 2.1 objects. Check out our integrations documentation for additional examples.
RL-Specific Properties
Name
Currently, each indicator is given a name that matches the entity type prefixed with “Malware”, e.g. “Malware IP”, “Malware Domain”.
Due to feedback from customers, we are actively working on replacing the existing name value with the actual indicator value.
External References
All MITRE ATT&CK techniques associated with the indicator are linked in the external references object.
Labels
Labels to help describe the indicator such as threat names, malware families, attack stages, MITRE ATT&CK techniques, and threat actor associations.
Kill Chain
ReversingLabs describes three stages of a ransomware attack. These are represented in the kill chain property, as well as the labels:
- Early Stage: Indicators for ports, payload links, and other early-stage IoCs.
- Middle Stage: Lateral progression within the organization.
- Late Stage: Expansion, entrenchment, extortion, encryption, and exfiltration happen in late-stage ransomware attacks.
Ransomware Indicators Feed Query
API Root Discovery Query
Request format
GET api/taxii/ransomware-api-root/
Path parameters:
ransomware-api-root
- The endpoint to retrieve the API root for the Ransomware Indicators Feed.
Response format
{
"description": "ReversingLabs ransomware data.",
"title": "ReversingLabs ransomware STIX 2.1 Collections",
"max_content_length": 999765625,
"versions": [
"application/taxii+json;version=2.1"
]
}
List Available Collections Query
Request format
GET api/taxii/ransomware-api-root/collections/
Path parameters:
collections
- The endpoint to retrieve the list of collections available in the feed.
Response
{
"collections": [
{
"id": "f0997a32-b823-562d-9856-c754ac5e1159",
"title": "ReversingLabs Ransomware Collection",
"can_write": false,
"can_read": true,
"media_types": [
"application/stix+json;version=2.1"
]
}
]
}
Poll for Objects Query
Request format
GET api/taxii/ransomware-api-root/collections/{collection_id}/objects
Path parameters:
collections
- The endpoint to retrieve the list of collections available in the feed.
collection_id
- The endpoint to retrieve the objects in the specified collection.
objects
- The endpoint to retrieve the objects in the specified collection.
Query parameters:
added_after
- A timestamp in RFC 3339 format to retrieve all objects after the specified timestamp.
limit
- Limit the number of objects returned in the response. Range:
1 - 500
- Limit the number of objects returned in the response. Range:
match[type]
- A comma-separated list of object types to filter by, such as
indicator
,malware
,threat-actor
. - View the full list of supported fields.
- A comma-separated list of object types to filter by, such as
next
- A string value indicating the next record or set of records in the dataset.
Response format
{
"more": true,
"next": "17562276",
"objects": [
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--dd2207cb-7e85-54a5-99ef-0b952b340435",
"created": "2025-05-12T00:12:50Z",
"modified": "2025-05-12T00:12:50Z",
"valid_from": "2025-05-12T00:12:50Z",
"valid_until": "2025-06-11T00:12:50Z",
"created_by_ref": "identity--ef2a68d1-a8d2-5cb4-973d-1b9e0858c41e",
"name": "Malware File",
"description": "Malware file activity was observed",
"confidence": 100,
"indicator_types": [
"malicious-activity"
],
"pattern_type": "stix",
"pattern": "[file:hashes.'SHA-1' = '30b1966606279762fc1703e68d3f4313a94252cb' OR file:hashes.'MD5' = '01d2a7062d6330c7fc4c3d071a75374d' OR file:hashes.'SHA-256' = 'f98f5d21a7643cbd273a69823873a3e8332fe3ad6da68bcd4ff8ad55b356ddbd']",
"labels": [
"ReversingLabs",
"34634",
"PE/Exe/cpTinyGiant",
"Zbot",
"Trojan",
"Early"
],
"external_references": [
{
"source_name": "mitre",
"external_id": "T1018",
"description": "Remote System Discovery",
"url": "https://attack.mitre.org/techniques/T1018/"
},
{
"source_name": "mitre",
"external_id": "T1027",
"description": "Obfuscated Files or Information",
"url": "https://attack.mitre.org/techniques/T1027/"
}
],
"kill_chain_phases": [
{
"kill_chain_name": "rl-ransomware-kill-chain",
"phase_name": "early"
}
],
"revoked": false
}
]
}
Ransomware Indicators Lite Feed Query
API Root Discovery Query
Request format
GET api/taxii/ransomware-lite/
Path parameters:
ransomware-lite
- The endpoint to retrieve the API root for the Ransomware Indicators Lite Feed.
Response format
{
"description": "ReversingLabs ransomware data.",
"title": "ReversingLabs ransomware STIX 2.1 Collections",
"max_content_length": 999765625,
"versions": [
"application/taxii+json;version=2.1"
]
}
List Available Collections Query
Request format
GET api/taxii/ransomware-lite/collections/
Path parameters:
collections
- The endpoint to retrieve the list of collections available in the Lite feed.
Response format
{
"collections": [
{
"id": "f0997a32-b823-562d-9856-c754ac5e1159",
"title": "ReversingLabs Ransomware Collection",
"can_write": false,
"can_read": true,
"media_types": [
"application/stix+json;version=2.1"
]
}
]
}
Poll for Objects Query
Request format
GET api/taxii/ransomware-lite/collections/{collection_id}/objects
Path parameters:
collections
- The endpoint to retrieve the list of collections available in the Lite feed.
collection_id
- The endpoint to retrieve the objects in the specified collection.
objects
- The endpoint to retrieve the objects in the specified collection.
Query parameters:
added_after
- A timestamp in RFC 3339 format to retrieve all objects after the specified timestamp.
limit
- Limit the number of objects returned in the response. Range:
1 - 500
- Limit the number of objects returned in the response. Range:
match[type]
- A comma-separated list of object types to filter by, such as
indicator
,malware
,threat-actor
. - View the full list of supported fields.
- A comma-separated list of object types to filter by, such as
next
- A string value indicating the next record or set of records in the dataset.
Response format
{
"more": true,
"next": "17562276",
"objects": [
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--dd2207cb-7e85-54a5-99ef-0b952b340435",
"created": "2025-05-12T00:12:50Z",
"modified": "2025-05-12T00:12:50Z",
"valid_from": "2025-05-12T00:12:50Z",
"valid_until": "2025-06-11T00:12:50Z",
"created_by_ref": "identity--ef2a68d1-a8d2-5cb4-973d-1b9e0858c41e",
"name": "Malware File",
"description": "Malware file activity was observed",
"confidence": 100,
"indicator_types": [
"malicious-activity"
],
"pattern_type": "stix",
"pattern": "[file:hashes.'SHA-1' = '30b1966606279762fc1703e68d3f4313a94252cb' OR file:hashes.'MD5' = '01d2a7062d6330c7fc4c3d071a75374d' OR file:hashes.'SHA-256' = 'f98f5d21a7643cbd273a69823873a3e8332fe3ad6da68bcd4ff8ad55b356ddbd']",
"labels": [
"ReversingLabs",
"34634",
"PE/Exe/cpTinyGiant",
"Zbot",
"Trojan",
"Early"
],
"external_references": [
{
"source_name": "mitre",
"external_id": "T1018",
"description": "Remote System Discovery",
"url": "https://attack.mitre.org/techniques/T1018/"
},
{
"source_name": "mitre",
"external_id": "T1027",
"description": "Obfuscated Files or Information",
"url": "https://attack.mitre.org/techniques/T1027/"
}
],
"kill_chain_phases": [
{
"kill_chain_name": "rl-ransomware-kill-chain",
"phase_name": "early"
}
],
"revoked": false
}
]
}
Examples
API Root Discovery
Request
curl -u "username:password" https://data.reversinglabs.com/api/taxii/ransomware-api-root/ -H "accept: application/taxii+json;version=2.1"
Response
{
"description": "ReversingLabs ransomware data.",
"title": "ReversingLabs ransomware STIX 2.1 Collections",
"max_content_length": 999765625,
"versions": [
"application/taxii+json;version=2.1"
]
}
List Available Collections
Request
curl -u "username:password" https://data.reversinglabs.com/api/taxii/ransomware-api-root/collections/ -H "accept: application/taxii+json;version=2.1"
Response
{
"collections": [
{
"id": "f0997a32-b823-562d-9856-c754ac5e1159",
"title": "Reversinglabs Ransomware Collection",
"can_write": false,
"can_read": true,
"media_types": [
"application/stix+json;version=2.1"
]
}
]
}
Poll for Objects
Request
curl -u "username:password" https://data.reversinglabs.com/api/taxii/ransomware-api-root/collections/f0997a32-b823-562d-9856-c754ac5e1159/objects/ -H "accept: application/taxii+json;version=2.1"
Response
{
"more": true,
"next": "17562276",
"objects": [
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--dd2207cb-7e85-54a5-99ef-0b952b340435",
"created": "2025-05-12T00:12:50Z",
"modified": "2025-05-12T00:12:50Z",
"valid_from": "2025-05-12T00:12:50Z",
"valid_until": "2025-06-11T00:12:50Z",
"created_by_ref": "identity--ef2a68d1-a8d2-5cb4-973d-1b9e0858c41e",
"name": "Malware File",
"description": "Malware file activity was observed",
"confidence": 100,
"indicator_types": [
"malicious-activity"
],
"pattern_type": "stix",
"pattern": "[file:hashes.'SHA-1' = '30b1966606279762fc1703e68d3f4313a94252cb' OR file:hashes.'MD5' = '01d2a7062d6330c7fc4c3d071a75374d' OR file:hashes.'SHA-256' = 'f98f5d21a7643cbd273a69823873a3e8332fe3ad6da68bcd4ff8ad55b356ddbd']",
"labels": [
"ReversingLabs",
"34634",
"PE/Exe/cpTinyGiant",
"Zbot",
"Trojan",
"Early"
],
"external_references": [
{
"source_name": "mitre",
"external_id": "T1018",
"description": "Remote System Discovery",
"url": "https://attack.mitre.org/techniques/T1018/"
},
{
"source_name": "mitre",
"external_id": "T1027",
"description": "Obfuscated Files or Information",
"url": "https://attack.mitre.org/techniques/T1027/"
}
],
"kill_chain_phases": [
{
"kill_chain_name": "rl-ransomware-kill-chain",
"phase_name": "early"
}
],
"revoked": false
}
]
}
Filter by timestamp
Request
Use the added_after
parameter to retrieve all objects after the specified timestamp. The timestamp must be a RFC 3339-formatted timestamp using the format: YYYY-MM-DDTHH:MM:SS.ssssssZ
.
curl -u "username:password" https://data.reversinglabs.com/api/taxii/ransomware-api-root/collections/f0997a32-b823-562d-9856-c754ac5e1159/objects/?added_after=2025-05-12T00:00:00.000000Z -H "accept: application/taxii+json;version=2.1"
Limit Returned Objects
Request
Use the limit
query parameter to retrieve a specified number of objects.
curl -u "username:password" https://data.reversinglabs.com/api/taxii/ransomware-api-root/collections/f0997a32-b823-562d-9856-c754ac5e1159/objects/?limit=5 -H "accept: application/taxii+json;version=2.1"
Matching
Use the match[type]
query parameter to filter objects by type.
Request
curl -u "username:password" https://data.reversinglabs.com/api/taxii/ransomware-api-root/collections/f0997a32-b823-562d-9856-c754ac5e1159/objects/?match[type]=indicator,malware,threat-actor -H "accept: application/taxii+json;version=2.1"
Paging
Request 1
Make the first request using the limit
query filter.
curl -u "username:password" https://data.reversinglabs.com/api/taxii/ransomware-api-root/collections/f0997a32-b823-562d-9856-c754ac5e1159/objects/?limit=5 -H "accept: application/taxii+json;version=2.1"
Response
The response should return a more
property with a boolean value, where true
indicates more objects available. The value ofthe next
property is used for the subsequent request.
{
"more": true,
"next": "17562276",
"objects": []
}
Request 2
Make the second request using the next
query filter with the value returned in the previous response.
curl -u "username:password" https://data.reversinglabs.com/api/taxii/ransomware-api-root/collections/f0997a32-b823-562d-9856-c754ac5e1159/objects/?next=17562276 -H "accept: application/taxii+json;version=2.1"
Error Handling
All errors are returned in the TAXII 2.1 standard format. For more details, view the official TAXII error handling page.
Example Response
{
"description": "Unknown filter count encountered",
"http_status": "400",
"title": "ProcessingError"
}
Appendix A: Expected STIX Fields
Field | Description | Example Value |
---|---|---|
type | Specifies the type of the STIX Object. For Indicators, this MUST be ‘indicator’. | indicator |
spec_version | The STIX specification version used to represent this object. | 2.1 |
id | A unique identifier for this object, following the format indicator--UUID. | indicator--dd2207cb-7e85-54a5-99ef-0b952b340435 |
created | The time at which this object was originally created. | 2025-05-12T00:12:50Z |
modified | The time that this particular version of the object was last modified. | 2025-05-12T00:12:50Z |
valid_from | The time from which this Indicator is considered valid. | 2025-05-12T00:12:50Z |
valid_until | The time at which this Indicator should no longer be considered valid. | 2025-06-11T00:12:50Z |
created_by_ref | Specifies the ID of the Identity object that describes the entity that created this object. | identity--ef2a68d1-a8d2-5cb4-973d-1b9e0858c41e |
name | A name used to identify the Indicator. | Malware File |
description | A description that provides more details and context about the Indicator. | Malware file activity was observed |
confidence | A value between 0 and 100 that describes the confidence in the correctness of the data contained within this object. | 100 |
indicator_types | Specifies the type of indicator. For example, malicious-activity, anomalous-activity, etc. | malicious-activity |
pattern_type | Specifies the type of pattern used. Common values include stix, snort, yara, etc. | stix |
pattern | The detection pattern for the Indicator, expressed in the language defined by pattern_type. | [file:hashes.'SHA-1' = '30b1966606279762fc1703e68d3f4313a94252cb' OR file:hashes.'MD5' = '01d2a7062d6330c7fc4c3d071a75374d' OR file:hashes.'SHA-256' = 'f98f5d21a7643cbd273a69823873a3e8332fe3ad6da68bcd4ff8ad55b356ddbd'] |
labels | A set of labels applicable to this Indicator, providing additional context or metadata. | ReversingLabs, 34634, PE/Exe/cpTinyGiant, Zbot, Trojan, Early |
external_references | A list of external references that describe where this Indicator originated from or additional information. | {"source_name": "mitre", "external_id": "T1018", "description": "Remote System Discovery", "url": "https://attack.mitre.org/techniques/T1018/"} |
kill_chain_phases | Specifies the phase of the kill chain that this Indicator is associated with. | rl-ransomware-kill-chain: early |
revoked | Indicates whether this object has been revoked. | false |
more | Indicates if there are more objects available in the response. | true |
next | A token that can be used to retrieve the next set of objects in a paginated response. | 17562276 |