Family Ties: Multigenerational Ransomware Family Analysis Using Intezer

The adoption of the Ransomware as a Service (RaaS) model has rapidly evolved the ransomware threat landscape. As a result, ransomware binary analysis of next-generation samples contains marginal code similarities with early generations within the same family. Often new generations of ransomware detection incorrectly identify the ransomware family. Infrastructure, tools, techniques, and procedures (TTPs), or ransom notes often determine the initial ransomware classification. Code similarities could assist investigators in identifying RaaS groups working on multiple ransomware families. Identifying common coding tactics in highly developed code allows security researchers to expedite attribution and develop mitigation strategies. Law enforcement can use code similarity analysis to show affiliation between ransomware groups. This paper aims to determine whether code similarities exist between next-generation ransomware and earlygeneration binaries. Research focuses on ransomware families containing four generations and analyzes randomly selected binaries using an automated genetic tool. Intezer’s genetic analysis compares binary samples against Intezer’s malware code repository. Intezer allows incident responders to analyze ransomware binaries and identify malware more accurately and quickly.