I recently came across a cool GitHub repo from Zscaler's ThreatLabz team (see here) which contains a whole array of ransom notes from known and new ransomware families.
This article examines the use of stylometric analysis to unmask ransomware groups. It looks at three new ransomware families, Shadow, 8BASE, and Rancoz, and how they are connected to known threat actors. Stylometry is the application of the study of linguistic style, usually to written language, and it can be used to attribute authorship to anonymous or disputed documents.
The Shadow ransom note is similar to the LockBit3.0 ransom note, suggesting that it is a reskin of the leaked LockBit3.0 builder. The 8BASE ransom note is similar to the ransom note from the leaked builder of Babuk ransomware. The Rancoz ransom note is practically identical to the LockBit3.0 note.
The article concludes that ransomware research is straightforward these days, as ransomware groups prefer templated attacks and there are multiple freely available leaked builders. LockBit and Babuk provide low-skilled and few-resourced attackers the ability to attack and ransom large organizations. Shadow, 8BASE, and Rancoz are likely not the last of these types of ransomware groups. The best way to track them is to keep an eye on them while they are still inexperienced. Any tips should be sent to law enforcement, as well as groups like The Ransomware Task Force and NoMoreRansom.
📓 Unmasking Ransomware Using Stylometric Analysis: Shadow, 8BASE, Rancoz
👉🏽 I recently came across a cool GitHub repo from Zscaler's ThreatLabz team (see here) which contains a whole array of ransom notes from known and new ransomware families. 👉🏽 Article examines use of stylometric analysis to unmask ransomware groups. 👉🏽 Focuses on three new ransomware families: Shadow, 8BASE, and Rancoz. 👉🏽 Connects ransomware groups to known threat actors through similar ransom notes. 👉🏽 Stylometry used to attribute authorship to anonymous or disputed documents. 👉🏽 Shadow ransom note similar to LockBit3.0 ransom note, suggesting it's a reskin. 👉🏽 8BASE ransom note similar to Babuk ransomware's leaked builder. 👉🏽 Rancoz ransom note practically identical to LockBit3.0 note. 👉🏽 Ransomware groups rely on templated attacks and freely available leaked builders. 👉🏽 LockBit and Babuk provide low-skilled attackers the ability to target large organizations. 👉🏽 Best way to track inexperienced ransomware groups is to report tips to law enforcement or task forces.
#StylometricAnalysis #RansomwareGroups #Shadow #8BASE #Rancoz