Conducting stylometric analysis on ransomware negotiation chat logs

Ransomware ChatLog files scanned on Copyleaks: DM me on Linkedin for access to all files already scanned: https://www.linkedin.com/in/calvinso1/

Tracking Sheet: https://docs.google.com/spreadsheets/d/1XQGIhAbXeUQGj7TZq3urmN70oW5mGAsnyk4obak2RFg/edit?usp=sharing

Inspiration Blog: https://blog.bushidotoken.net/2023/05/unmasking-ransomware-using-stylometric.html

In my pursuit of knowledge in the field of Cyber Threat Intelligence, I stumbled upon an intriguing concept presented by Will Thomas (BushidoToken) in his blog post titled "Unmasking Ransomware Using Stylometric Analysis: Shadow, 8BASE, Rancoz." This concept revolves around utilizing stylometry to identify potential modifications in new ransomware variants based on existing popular strains. If you're interested, you can read the blog post here. (Notably, Will Thomas also appeared on Dark Net Diaries, discussing his tracking of the Revil ransomware.) I recalled encountering a new project related to ransomware negotiation logs. Ransomware negotiation is typically an obscure area where visibility is limited. Valéry Marchive, co-founder of LeMagIT, recently shared a substantial collection of these logs, which can be found on GitHub here. https://github.com/Casualtek/Ransomchats

Building on these observations, we hypothesize that distinct writing styles and consistent linguistic patterns can be identified within ransomware negotiation logs. By applying stylometric analysis to these logs, we aim to attribute specific ransomware attacks to individual operators or groups that consistently appear in these chat exchanges, thus potentially unmasking the identities of the threat actors behind different ransomware strains.

Read My full Blog over here: https://medium.com/@callyso0414/tracing-ransomware-threat-actors-through-stylometric-analysis-and-chat-log-examination-23f0f84abba8