Anthropic-Cybersecurity-Skills/skills/investigating-ransomware-attack-artifacts/references/api-reference.md

API Reference: Investigating Ransomware Attack Artifacts

VirusTotal API v3

Endpoint	Method	Description
/api/v3/files/{hash}	GET	Look up ransomware sample by MD5/SHA-256
/api/v3/files	POST	Upload ransomware sample for analysis
/api/v3/files/{id}/behaviour_summary	GET	Retrieve behavioral analysis results

ID Ransomware

Endpoint	Method	Description
https://id-ransomware.malwarehunterteam.com/	POST	Upload ransom note or encrypted sample for variant ID

No More Ransom Project

Resource	Description
https://www.nomoreransom.org/crypto-sheriff.php	Check if free decryptor is available for identified variant

MalwareBazaar API

Endpoint	Method	Description
https://mb-api.abuse.ch/api/v1/	POST	Query ransomware samples by hash, tag, or signature

Key Libraries

• requests: HTTP client for VirusTotal and ID Ransomware API calls
• hashlib (stdlib): Calculate MD5/SHA-256 hashes of ransomware samples and notes
• re (stdlib): Extract Bitcoin addresses, Tor .onion sites, and emails from notes
• csv (stdlib): Parse exported Windows Event Log data
• pathlib (stdlib): Recursive file system traversal for artifact discovery

Ransomware IOC Patterns

Pattern	Regex	Description
Bitcoin	[13][a-km-zA-HJ-NP-Z1-9]{25,34}	Legacy Bitcoin addresses
Bitcoin Bech32	bc1[a-z0-9]{39,59}	SegWit Bitcoin addresses
Monero	4[0-9AB][1-9A-HJ-NP-Za-km-z]{93}	Monero wallet addresses
Tor Sites	[a-z2-7]{16,56}\.onion	Tor hidden service domains

Configuration

Variable	Description
VT_API_KEY	VirusTotal API key for hash lookups and sample submission

References

• ID Ransomware
• No More Ransom Project
• CISA Stop Ransomware
• VirusTotal API v3