Talk With an Expert

Family Ties: Multigenerational Ransomware Family Analysis Using Intezer

Family Ties: Multigenerational Ransomware Family Analysis Using Intezer (PDF, 0.32MB)Published: 18 Jan, 2023
Created by
SANS Institute
SANS Institute

The adoption of the Ransomware as a Service (RaaS) model has rapidly evolved the ransomware threat landscape. As a result, ransomware binary analysis of next-generation samples contains marginal code similarities with early generations within the same family. Often new generations of ransomware detection incorrectly identify the ransomware family. Infrastructure, tools, techniques, and procedures (TTPs), or ransom notes often determine the initial ransomware classification. Code similarities could assist investigators in identifying RaaS groups working on multiple ransomware families. Identifying common coding tactics in highly developed code allows security researchers to expedite attribution and develop mitigation strategies. Law enforcement can use code similarity analysis to show affiliation between ransomware groups. This paper aims to determine whether code similarities exist between next-generation ransomware and earlygeneration binaries. Research focuses on ransomware families containing four generations and analyzes randomly selected binaries using an automated genetic tool. Intezer’s genetic analysis compares binary samples against Intezer’s malware code repository. Intezer allows incident responders to analyze ransomware binaries and identify malware more accurately and quickly.

Meet the expert

SANS Institute
SANS Institute

SANS Institute

Launched in 1989 as a cooperative for information security thought leadership, it is SANS’ ongoing mission to empower cyber security professionals with the practical skills and knowledge they need to make our world a safer place.

Read more about SANS Institute