The DFIR Ransomware Project helps digital forensic examiners, SOC analysts, and incident responders understand various types of ransomware. Each type of ransomware is slightly different and some of those differences matter to an incident responder and others don’t.

For example, if an incident responder is trying to figure out how the attacker got in:

The ransomware encryption algorithm details don’t matter. They may matter to data recovery people and malware researchers, but not the incident responder.
The builtin-propagation techniques do matter though. They can help direct the responder to artifacts that may help show where else the attacker logged in.

This project uses a framework with 12 categories to describe the behavior of the family. Various ransomware families each have their own page and are evaluated against the framework. You can find the list of ransomware types on the left-hand menu.

This is a community project that arose from a presentation by Brian Carrier (Cyber Triage) and Brian Moran (BriMor Labs) at ResponderCon. See the Contribution page for how to submit pull requests and help out.

Thank You To The Contributors

Sponsors