This project is community led and you can get involved by submitting GitHub pull requests with updates to current pages or entirely new pages.
EXE vs TTP
Make sure that data you add is about the ransomware executable and not about the attackers who use the executable. Many blog posts merge these concepts and it can be confusing to determine what happened because of the ransomware EXE versus the attacker decided to do something. We find the best blogs to use are ones that reverse engineer the EXE because they often ignore the attacker TTPs.
For example, it could be that all known attacks using Ransomware Family X use phishing as their initial attack vector. But, if phishing is not part of the EXE, then it doesn’t go into this framework. After all, an attacker could decide tomorrow to use a server exploit to gain access and use the same ransomware EXE.
Expanding an Existing Family
- Make a fork of the repo.
- Make a branch (optional).
- Edit the file in the docs/families/ folder.
- Ensure any changes you make have a corresponding reference. We want to give credit to the original authors. Multiple rows can refer to the same reference.
- Make a pull request.
Expanding The Common Methods
Same as above, except edit docs/common.md.
Adding a New Family
- Make a fork of the repo.
- Make a branch (optional).
- Copy the contents of “template.md”
- Select “Add File”, and add a new file under the docs/families/ folder named “yourransomware.md” (ie “conti.md”)
- Edit the top part of the file to add the title and URL. There are TODO instructions for each step. You can delete the TODO lines.
- Fill in the table in the file and include a reference for each entry. Multiple rows can refer to the same reference.
- If you do not have data for one of the categories, then leave it as TBD. Use “TBD”, “None” or “No” instead of an empty entry.
- Make a pull request.
Starting a Discussion
If you’d like to ask about a value and not specifically edit it, then you can open a Github Issue.
- Log into GitHub and go to the issues page.
- Create an issue and ask your question.