<— Back

Understanding ransomware rebranding

During the life-time of a ransomware, the owners and operators usually get together to get the most out of it. While at a first glance we would like to believe that a ransomware family is a standalone piece of code, by analyzing hundreds of binaries we have seen that some of them share more than we expected. In this paper we bring some light to a few ransomware rebrandings that we assisted to, based on some recent concrete examples. While some of them may also be confirmed by public articles, there are also cases requiring a lot of attention to spot the actual bonds. In this paper we use generic unpacking techniques as well as Control Flow Graph analysis to understand the sharing of code pieces.

Dr. Vlad Constantin Craciun

Vlad Craciun is an Assistant Professor at the “Alexandru Ioan Cuza” University of Iasi, Faculty of Computer Science (Romania), studying the field of automated binary analysis. He joined Bitdefender Laboratories in early 2009, being involved in projects like file-infector disinfection, post-incident forensics, building of ransomware decryption tools. His current research interests include automated binary analysis, cryptography, symbolic execution, and Control Flow Graph analysis.