Close Menu
Ransomware

Ransomware attribution 2026: TTPs, notes, fingerprints

Jesse William McGrawBy No Comments7 Mins Read56 Views
Intersecting magnifying glasses over a stylised fingerprint pattern, dark editorial illustration

Updated May 2026.

“Who hit us?” is the first question executive teams ask after the runbook is open. It’s also the question most likely to be answered with the wrong group, in the wrong direction, with confidence that nobody’s earned. Modern ransomware attribution is a stack of soft signals that rarely converge to certainty. Done well, it produces a ranked list with confidence levels. Done badly, it lands you with a press release pointing at the wrong actor and a regulator asking how you got there.

This is the attribution methodology I use, the one that survives independent review when external counsel or a national CERT eventually sees the work. Treat it as a structured ranking exercise: build a hypothesis, score it against evidence, document why competing hypotheses lose.

What attribution actually means

“This was group X” is the worst form of attribution language. Real attribution lives at one of four levels:

  • Strain attribution. The encryptor binary belongs to a known ransomware family. Usually solid, sometimes wrong (forks, builders leaked from one operator and reused by another).
  • Operator attribution. The attack chain matches the operator team that maintains a particular leak site and brand. Less solid because affiliates, not operators, run the campaigns.
  • Affiliate attribution. The specific affiliate within a RaaS programme that ran this campaign. Hardest, most useful for IR purposes, affiliates have signature TTPs that survive even when they switch operator brands.
  • Identity attribution. A specific individual. Almost never appropriate for private-sector defenders to assert publicly. Leave this to law enforcement.

Most defensive attribution work needs to land at strain or operator with high confidence and at affiliate level with medium confidence. Anything beyond that is where careers go to be ended.

The five evidence streams

// VERDICT strain · operator · affiliate // 01 STRAIN encryptor binary // 02 RANSOM NOTE format · wallet · TOR // 03 LEAK SITE listings · timing // 04 TTP MATCH ATT&CK pattern // 05 INFRASTRUCTURE C2 · loaders · IPs
Five independent evidence streams converge to a verdict at strain, operator, or affiliate level.

Stream 1, Encryptor strain identification

If you have a sample of the encryptor binary, this is your highest-confidence stream. Three layers of analysis:

  • YARA scanning. The Yara-Rules community repo and vendor feeds (Elastic, Reversing Labs, Mandiant) cover most active families. Run the binary against an aggregated rule set; matches narrow you to a family quickly.
  • Imphash and rich-header pivots. The PE import-hash and Rich Header bytes survive across builds of the same toolchain. Pivot in VirusTotal Intelligence or MalwareBazaar to find sister samples and their first-seen dates.
  • Encryptor behaviour. File-extension naming convention, ransom-note filename pattern, encryption mode (full file vs. partial vs. intermittent), and which file types are excluded, most operators have signature behaviours catalogued by family in Malpedia.

Confidence calibration: a YARA + imphash + Malpedia behaviour match is high-confidence strain attribution. A YARA match alone is medium-confidence (open-source builders mean leaked code reuse is real).

Stream 2, Ransom-note forensics

The note left on each encrypted host is a deliberate identifier. Operators want victims to find their leak site. Five fields to extract:

  • The TOR or clearnet URL for the negotiation portal. This is usually the strongest single signal, operators don’t share negotiation infrastructure.
  • The crypto wallet address. Cross-reference against blockchain analytics (Chainalysis, OXT, Walletexplorer) to see whether the address has been used before and by whom.
  • Note formatting and language. Each operator has signature phrasing, signature ASCII art, signature filename (!README.txt, HOW_TO_RECOVER.txt, RESTORE_FILES_INFO.txt).
  • Personalisation level. Mass-deploy operators leave generic notes; bespoke crews customise per victim with company name, revenue, regulatory exposure.
  • Negotiation portal mechanics. Authentication scheme, presence of a chat function, multi-language support, whether the portal accepts ZIP uploads of “proof of decryption”, each is a fingerprint.

Compare against the editorial profiles in our Threat Groups archive. We document signature-note patterns for each operator we cover.

Stream 3, Leak-site listing

The leak site is your highest-confidence operator-level signal. If your organisation appears on a named operator’s leak site, the operator is the publisher of that site. Three things to record at first sighting:

  • Listing timestamp. The window between encryption event and leak-site listing reveals which phase of the operator’s playbook you’re in. Most named operators publish 7–14 days after non-payment.
  • Sample data shown. What did they leak as proof? File-tree screenshots, document samples, employee directory entries, each is independently dateable and corroborates exfiltration scope.
  • Listing format. Country/sector tags, victim-name redaction style, countdown timer mechanics. Operator brands tend to keep these consistent over time.

Our Ransomtracker dashboard aggregates leak-site listings across active operators and lets you query by operator slug. Comparison is faster than visiting each Tor site individually.

Stream 4, TTP matching against MITRE ATT&CK

Each operator and active affiliate has a signature attack chain. Reconstruct yours from forensic timeline:

  • Initial access (T1078, T1133, T1190, T1566). Was it stolen VPN credentials, an unpatched perimeter app, a phishing payload?
  • Execution and persistence (T1059, T1547, T1543). Which scripting languages? Which scheduled-task names? Which registry keys?
  • Defense evasion (T1562, T1070). Specifically, which AV / EDR products were targeted for disabling, with which tooling?
  • Lateral movement (T1021, T1570). RDP, SMB, WMI, WinRM, PsExec? Custom tooling?
  • Exfiltration (T1567). Rclone to MEGA / Backblaze, Filezilla to attacker FTP, custom uploader?
  • Encryption (T1486). Multi-thread vs. partial vs. intermittent? Targeting which file extensions?

Plug the chain into MITRE ATT&CK’s Groups and Software matrices. Most named operators have curated profiles. Match patterns; the better fits cluster around fewer candidates.

Stream 5, Infrastructure pivots

C2 IPs, loader infrastructure, and reused tooling URLs leave fingerprints. Pivot opportunities:

  • Network IOCs from your incident, pivot in VirusTotal, ThreatFox, AbuseIPDB, GreyNoise. Reused IPs are the most useful pivot.
  • Loader / cobalt-strike beacon configurations, extract via tools like CobaltStrikeParser; the watermark and PDB path are operator/affiliate fingerprints.
  • Defender-evasion tool, which signed driver was loaded for kernel-level AV disabling? Several affiliate clusters share signed-driver tooling and that overlap is a pivot.

Producing the verdict

Build a small matrix. Five evidence streams down the rows, candidate operators across the columns. For each cell, score 0/1/2, no evidence, weak evidence, strong evidence, and add one-line citations. The candidate with the highest score plus most independent streams hitting is your top hypothesis.

Three rules that keep attribution honest:

  • Two streams aren’t enough. A YARA hit plus a leak-site listing is a hypothesis, not a verdict. Three independent streams hitting is the minimum I publish behind.
  • Note the alternatives. If your matrix has a second-place candidate within ~30% of the leader, your write-up names them and explains why they lose.
  • Time-stamp every claim. Operators rebrand. The verdict in May 2026 may be wrong by November. Date the analysis and revisit if anyone reuses it later.

Tools you should be running, free

A common mistake to avoid

The single most common attribution failure in 2026 is publishing operator-level attribution when the evidence only supports strain-level. The encryptor binary may be LockBit Black, because that builder leaked in 2022 and is reused widely. The operator running the campaign may be entirely unrelated to the post-Cronos LockBit successors. Don’t conflate strain with operator without independent corroboration from the leak-site or TTP streams.

Further reading

Attribution is structured opinion. Done well, it documents reasoning and confidence; done badly, it produces certainty unbacked by evidence. Treat it as a hypothesis-ranking exercise, score every claim, and you’ll deliver a verdict that survives review by the people who’ll eventually see your work.

Share.

Jesse William McGraw, also known as GhostExodus, is a former insider threat and threat actor. He became the first person in recent U.S. history to be convicted of corrupting industrial control systems. Today he focuses on threat intelligence, OSINT, and public speaking, using his knowledge to bring awareness to the security risks that organisations and individuals face.

Related Posts

Comments are closed.