The Ransomware Tool Matrix continues to be a useful passion project that I am happy to continue maintaining. One piece of common feedback I've received for the Ransomware Tool Matrix was that individuals would like to contribute their observations to it, but do not have public links they can cite (such as a formal blog post on a company website). Therefore, I came up with a plan to make a reporting template to help with this.

What are Community Reports?

Individuals can now share what tools they have seen various ransomware groups, affiliates, or initial access brokers (IABs) use via the new Community Report Template. The level of detail provided is the contributor's choice. The more verifiable information shared, the increased level of reliability and credibility.

You can view the current list of Community Reports on GitHub here.

Why the need for Community Reports?

Most of the sources of CTI about ransomware TTPs comes from open source reports by organisations such as the US Cybersecurity and Infrastructure Security Agency (CISA), The DFIR Report, and other cybersecurity vendors. From the beginning it was important to recognise the importance of the having public citations by reputable organisations to maintain the reliability and credibility of the resource overall. Consumers of the Ransomware Tool Matrix should feel confident that the information provided is of high standard and legitimate.

The problem was, however, that members of the cybersecurity community who may work with victims of ransomware attacks also have information about what tools which ransomware group uses. 

The sources of this information could come from various sources, such as from Digital Forensics and Incident Response (DFIR) service providers, Managed Security Service Providers (MSSPs), Endpoint Detection and Response (EDR) vendors, or security researchers who manage to obtain threat intelligence about ransomware groups via various other means, such as infiltrating cybercrime forums or open directory hunting.

These sources of information did not currently have a way to contribute to the Ransomware Tool Matrix due to the missing factor of a publicly citable blog.

How do Community Reports work?

Members of the Community with information and tools used by ransomware groups can now share their observations via a structured report template shown below.

Whether to include all the details here is up to the contributor, but this type of reporting system is an option for community members to share their findings with the rest of the community who are interested in this information.

Anyone who wants to submit a Community Report can copy the code, edit in their findings, and submit a pull request to the GitHub repository. Alternatively, they can fork the project and then I can merge their commits to the main branch. More details about how to creating a pull request from a fork can be found in the GitHub's Docs here.

Conclusion

One of the problems of cybersecurity vendor blogs is that a lot of them are marketing material and therefore, details about every ransomware incident a company worked on is not great marketing. However, as CTI analysts, incident responders, threat hunters, and detection engineers, these details are crucial for our day-to-day lives. Hence why the Community Report system was one of the most common pieces of feedback I received and why I created it.

I look forward to the contributions from the community to this new reporting system and hope it helps many more who are keen to see and read about what the latest tools are that the ransomware cybercriminals are using.