property | value |
tags | analysis-stylometry,ransomware,threat-intel |
url | |
original_word_count | 803 |
Article Excerpt
I recently came across a cool GitHub repo from Zscaler's ThreatLabz team (see here) which contains a whole array of ransom notes from known and new ransomware families.
Long Summary
This article examines the use of stylometric analysis to unmask ransomware groups. It looks at three new ransomware families, Shadow, 8BASE, and Rancoz, and how they are connected to known threat actors. Stylometry is the application of the study of linguistic style, usually to written language, and it can be used to attribute authorship to anonymous or disputed documents.
The Shadow ransom note is similar to the LockBit3.0 ransom note, suggesting that it is a reskin of the leaked LockBit3.0 builder. The 8BASE ransom note is similar to the ransom note from the leaked builder of Babuk ransomware. The Rancoz ransom note is practically identical to the LockBit3.0 note.
The article concludes that ransomware research is straightforward these days, as ransomware groups prefer templated attacks and there are multiple freely available leaked builders. LockBit and Babuk provide low-skilled and few-resourced attackers the ability to attack and ransom large organizations. Shadow, 8BASE, and Rancoz are likely not the last of these types of ransomware groups. The best way to track them is to keep an eye on them while they are still inexperienced. Any tips should be sent to law enforcement, as well as groups like The Ransomware Task Force and NoMoreRansom.
Short Summary
š Unmasking Ransomware Using Stylometric Analysis: Shadow, 8BASE, Rancoz
šš½ I recently came across a cool GitHub repo from Zscaler's ThreatLabz team (see here) which contains a whole array of ransom notes from known and new ransomware families. šš½ Article examines use of stylometric analysis to unmask ransomware groups. šš½ Focuses on three new ransomware families: Shadow, 8BASE, and Rancoz. šš½ Connects ransomware groups to known threat actors through similar ransom notes. šš½ Stylometry used to attribute authorship to anonymous or disputed documents. šš½ Shadow ransom note similar to LockBit3.0 ransom note, suggesting it's a reskin. šš½ 8BASE ransom note similar to Babuk ransomware's leaked builder. šš½ Rancoz ransom note practically identical to LockBit3.0 note. šš½ Ransomware groups rely on templated attacks and freely available leaked builders. šš½ LockBit and Babuk provide low-skilled attackers the ability to target large organizations. šš½ Best way to track inexperienced ransomware groups is to report tips to law enforcement or task forces.
š summarized content: https://hut.threathunterz.com/battlefield-intel/articles-and-reports/unmasking-ransomware-using-stylometric-analysis-shadow-8base-rancoz
#StylometricAnalysis #RansomwareGroups #Shadow #8BASE #Rancoz