ABUSE.CH mantains an updated lists of ramsonware lists, here the txt file link : https://ransomwaretracker.abuse.ch/downloads/RW_URLBL.txt
It is very simple to make a shell script that check file changes every hour, download if there is a new one, and write a rule .cf using data contained in the file. But hor to write a rule ? We have more than 4000 URI in the file, we can do a single rule like this separating URIs with | : uri URIRAMS /http:\/\/1natureresort\.com\/afdIJGY8766gyu|http:\/\/1jamprofit\.com\/hjy93JNBasdas/ describe URIRAMS Match a Ramsonware URI score URIRAMS 5.00 or is better to separe each URI : uri __URIRAMS00001 /http:\/\/1natureresort\.com\/afdIJGY8766gyu/ uri __URIRAMS00002 /http:\/\/1jamprofit\.com\/hjy93JNBasdas/ meta URIRAMS (__URIRAMS00001 | __URIRAMS00002) describe URIRAMS Match a Ramsonware URI score URIRAMS 5.00 Obviously this example is related to 2 entries, and we have 4000 entries here ..... Any suggestion ? Nicola Piazzi CED - Sistemi COMET s.p.a. Via Michelino, 105 - 40127 Bologna - Italia Tel. +39 051.6079.293 Cell. +39 328.21.73.470 Web: www.gruppocomet.it<http://www.gruppocomet.it/> [Descrizione: gc]
