Ransomware operators rebrand constantly, Conti became BlackBasta, Karakurt, and a handful of smaller splinter operations. ALPHV’s affiliates moved to RansomHub. The rebrands are intentional reputation laundering, but the affiliates underneath rarely change tooling overnight. Sample fingerprints, builder artefacts, and TTPs persist across brand boundaries. This tutorial walks through tracking the same crew across rebrands using free tools.
Step 1: Collect samples from each suspected brand
Get representative ransomware samples from each operator brand you’re investigating. Sources:
- MalwareBazaar (abuse.ch), free with API key. Searchable by family tag, hash, file type.
- VirusTotal, Intelligence subscription required for sample download, but the free side gives you hashes and metadata.
- Tria.ge, public submissions, also has historical samples.
Aim for 10+ samples per brand to find consistent patterns rather than per-sample noise.
Step 2: Compare static structure
For each sample, run static analysis. Critical fields to compare:
- Compiler artefacts, MSVC version, Rust toolchain version, Go build ID
- Imphash, the hash of the imported function table; relatively stable across recompilations
- Rich header, Microsoft compiler metadata, often unique to a build environment
- Section names and entropy, packers leave characteristic patterns
- Configuration block format, many ransomware families embed config in similar layouts; format consistency suggests shared lineage
VirusTotal’s “Details” tab surfaces all of these for any submitted sample. Compare side by side.
Step 3: Write YARA rules to find more
When you find structural patterns shared across brands, encode them as YARA rules and search VT and MalwareBazaar for hits.
Example rule structure for catching shared ransomnote templates:
rule shared_note_template
{
strings:
$a = "your files have been encrypted"
$b = ".onion"
$c = { 8B ?? 33 ?? 89 } // shared crypto-routine bytes
condition:
2 of them and filesize < 5MB
}
VirusTotal supports YARA-based retrohunts (Intelligence subscription). MalwareBazaar’s free YARAify service lets you run rules against their entire corpus for free.
Step 4: Cross-reference TTPs from IR reports
Sample-level fingerprints are one signal; deployment behaviour is another. Look at IR reports for both brands. Indicators that suggest same affiliate underneath:
- Same initial-access broker family (e.g., consistent IcedID variants used)
- Same lateral-movement tool (Atera, AnyDesk, Cobalt Strike beacon profile)
- Same exfiltration destination patterns (Mega.nz with similar account-naming convention)
- Same negotiation behaviour and language quirks on leak-site chat
The DFIR Report publishes detailed breakdowns at the affiliate-TTP level. Sophos X-Ops, Huntress Labs, and Rapid7 are also valuable for this.
Step 5: Build the cross-brand graph
In Maltego or any graph tool: nodes for each brand, edges labelled with shared indicators. A confidence score per indicator (high for shared YARA hit, medium for shared infra IP, low for similar but-not-identical TTP). The graph is the deliverable, it shows the case visually.
Step 6: Time-series alignment
Brands often go quiet around the time of a rebrand. Align the timelines: if Brand A’s last claimed victim is the week before Brand B’s first claimed victim, and the technical fingerprints overlap, the case for affiliate continuity is strong. Ransomwhe.re and RansomLook‘s public dashboards make this easy to plot.
Step 7: Publish responsibly
“Affiliate continuity” claims should be hedged proportionally to evidence. “Strong technical overlap suggests shared affiliate lineage” reads better and ages better than “RansomHub IS ALPHV.” The former survives new evidence; the latter creates retraction risk.
Done well, this work tells defenders something operationally useful, when Brand A goes quiet and Brand B starts, the affiliates underneath haven’t lost a step. Plan accordingly.