Stay Ahead of Ransomware: Building an AI-Powered Ransomware Intelligence Agent

In the March 2026 episode of the SANS “Stay Ahead of Ransomware” livestream, returning guest Raymond “Mr. AI” DePalma from Palo Alto Networks Unit 42 joined show hosts Ryan Chapman and Mari DeGrazia for a demo-driven session that picked up where the February episode left off. In February (recording | blog), Ray introduced the defender’s AI toolkit: LLM fundamentals, threat attribution, and live demos from his “AI for the Win” repository. This time, Ray showed what putting those concepts into production looks like with a new open-source project: an AI-Powered Ransomware Intelligence Agent.

The Growing Challenge of Ransomware Threat Intelligence

Ransomware threat actors have become increasingly aggressive, continuing to leverage data leak sites as extortion tools. Recent data from Chainanalysis shows a 50% year-over-year increase in ransomware leak claims, underscoring the scale of the problem. Ironically, ransom payments have been trending downward, reflecting a stronger organizational stance on refusing to pay. These dynamics make timely, accurate threat intelligence essential for organizations looking to defend themselves proactively and understand attacker Tactics, Techniques, and Procedures (TTPs).

The sheer volume of activity makes manual analysis a losing battle. Analysts sifting through multiple feeds, blogs, and reports face a constant race against the clock, and attackers know it.

ransomware.live: The Intelligence Feed Powering the Agent

ransomware.live is a community-powered, open-source threat intelligence platform that continuously tracks ransomware groups and their victims across the dark web. It aggregates data leak site posts from hundreds of active ransomware groups and thousands of victim entries, providing one of the most comprehensive near-real-time views of ransomware activity available to defenders.

The platform exposes a free public API that surfaces recent victim data including company name, industry, country, ransomware group, and date of posting. The API also provides ransomware group profile data—descriptions, suspected origins, known TTPs, and operational history—making it an essential resource for threat analysts building intelligence pipelines.

The ransomware.live API is the data source at the heart of the AI-Powered Ransomware Intelligence Agent. By plugging ransomware.live’s API directly into an automated workflow, the agent can pull fresh victim data on a recurring schedule and feed it through AI analysis without any manual collection effort.

From Concepts to a Working Pipeline

Our February 2026 episode introduced agentic AI: systems that don’t merely answer questions, but autonomously carry out multi-step tasks. This episode brought that to life. Ray demonstrated a working pipeline built in n8n (an open-source workflow automation tool) that pulls live ransomware victim data from ransomware.live, processes it, runs it through AI analysis, and delivers a finished intelligence report, all on an automated schedule with no human intervention.

Why n8n? It’s visual (you can see what the pipeline does at a glance), self-hostable (important for security teams handling sensitive data), and supports LLM integrations natively. For security practitioners familiar with SOAR platforms, think of it as a lightweight, open-source alternative you can customize from scratch.

What the Agent Does

The centerpiece of the demo was the Ransomware Group Threat Monitor workflow. Ray walked through the data flow live on screen:

• A scheduled trigger fires every six hours (or on demand) and pulls recent victim data from the ransomware.live V2 API.
• The data is immediately replaced with synthetic company profiles—randomized names, industries, and dates—so no real victim information is ever exposed downstream.
• This was deliberate: the entire pipeline can be demonstrated live without showing real victim data.
• Of course, this portion of the workflow can be removed and/or modified to avoid the redactions.
• The workflow filters by industry to focus on relevant sectors, then deduplicates and groups victims by ransomware actor.
• Additional ransomware.live API calls retrieve detailed group profiles—descriptions, suspected origins, known TTPs, and operational history—to enrich each entry.
• The enriched dataset is passed to an AI model that produces a threat intelligence assessment, including a weighted risk matrix factoring in attack velocity and geographic targeting.
• The output is a polished HTML report with dashboard metrics, interactive charts, MITRE ATT&CK technique mappings, per-group profiles, and prioritized defensive recommendations.

The finished report can be viewed in a browser or delivered as Markdown, with optional Slack and Google Docs delivery ready to enable.

Making AI Output Reliable

One of the more interesting parts of the demo was how Ray solved a common problem with LLM-powered automation: getting consistent, usable output. Instead of asking the AI for free-text analysis, the pipeline enforces a structured JSON schema: the AI must return specific fields like threat level, MITRE ATT&CK technique IDs, targeting patterns, and prioritized recommendations in a predictable format. Downstream steps in the workflow can then reliably consume the AI’s output without fragile text parsing. It’s the difference between a chatbot and a composable automation component.

Cloud AI or Fully Local - Your Choice

Every workflow ships in two versions: one using Anthropic’s Claude API, and one using Ollama, which runs models entirely on local hardware. The rest of the pipeline is identical; only the AI node swaps out.

Ray discussed the tradeoffs: Claude generally produces more consistent structured output and nuanced analysis, while Ollama gives you full data privacy, zero API costs, and the ability to run in air-gapped environments. A well-funded SOC can use Claude while a university lab, startup, or home-lab practitioner can run the same workflow locally at no cost. Organizations with strict data residency requirements can route everything through a local model and never send a byte of ransomware.live data outside their environment.

A Learning Path, Not Just a Tool

The project is structured as a progressive learning path. The 101-level workflow teaches API integration and AI-powered analysis. Though not discussed in our episode, the 200-level builds on that with IOC enrichment (VirusTotal, AbuseIPDB), AI-generated YARA rules, historical trend analysis, multi-channel delivery, confidence scoring, and negotiation intelligence. Each level introduces new automation concepts, so practitioners can start where their skills are and grow from there.

The repository also includes a demo mode with a mock API server, so you can run the full pipeline with synthetic data. This is useful for training sessions, conference talks, or academic environments where connecting to live feeds isn’t practical.

AI Amplifies Expertise

The session wrapped up with a discussion that echoed a theme from the February episode: human oversight matters. The pipeline is designed for human-in-the-loop operation. The AI generates assessments, but the transparent data flow—visible in the n8n canvas with documented nodes throughout—means analysts can verify every claim. AI hallucinations are a real concern (models can fabricate attribution details or invent technique IDs), so pairing AI analysis with structured validation and human review gives you speed without sacrificing rigor.

“AI doesn’t replace expertise, it amplifies it.”

The project is released under a CC BY-NC 4.0 license, free for educational and defensive use.

Learning More and Looking Forward

To learn more, watch the March 2026 episode of the SANS “Stay Ahead of Ransomware” livestream. Want to watch prior episodes? Check out our Stay Ahead of Ransomware playlist on YouTube.

Get hands on with the project:

• AI-Powered Ransomware Intelligence Agent
• ransomware.live (community ransomware intelligence feed)

Join us each month for the SANS “Stay Ahead of Ransomware” livestream on the first Tuesday of each month at 1:00 PM Eastern (10:00 AM Pacific).

Remember to check out our upcoming SANS training events, including FOR528: Ransomware and Cyber Extortion, where we dive into the technical details of preventing, detecting, and responding to ransomware and cyber extortion attacks. On the AI side of things, we also have FOR563: Applied AI for Digital Forensics and Incident Response: Leveraging Local Large Language Models, which teaches cyber defenders to leverage AI to aid in DFIR and IR investigations.

Frequently Asked Questions

What is ransomware.live and why is it used here?

ransomware.live is a community-powered, open-source platform that tracks ransomware groups and their victims in near real-time. It exposes a public API surfacing victim data, ransomware group profiles, suspected origins, and known TTPs, making it an ideal data source for automated threat intelligence workflows.

What is n8n and why is it used here?

n8n is an open-source workflow automation tool that orchestrates data retrieval, transformation, and AI analysis in a visual, extensible environment. For security teams familiar with SOAR platforms, it offers similar orchestration capabilities with a lighter footprint and full self-hosting support.

Can this workflow run locally without internet access?

Yes. A mock API server is included for air-gapped testing, and local LLMs via Ollama can be integrated to avoid sending data to cloud AI providers entirely.

How does this solution handle data privacy?

Victim data pulled from ransomware.live is automatically redacted and replaced with synthetic company profiles before being processed or reported on, ensuring no real victim information is exposed downstream.

Is programming knowledge required?

Basic familiarity helps, but the visual n8n canvas and documented example nodes make it accessible for analysts with limited coding experience.

Can other AI models be used besides Claude?

Yes. The workflow is designed to be flexible. Ollama is already supported for local deployments, and the modular design makes it straightforward to swap in other models.