{
	"id": "b057e2e2-0683-43b5-8837-83ac3f4f6a4a",
	"created_at": "2026-04-06T00:11:42.939644Z",
	"updated_at": "2026-04-10T03:20:56.361906Z",
	"deleted_at": null,
	"sha1_hash": "3f3a8383b82021df0d8092bc041ad86e439e4178",
	"title": "Unmasking Ransomware Using Stylometric Analysis: Shadow, 8BASE, Rancoz",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3804519,
	"plain_text": "Unmasking Ransomware Using Stylometric Analysis: Shadow,\r\n8BASE, Rancoz\r\nBy BushidoToken\r\nPublished: 2023-05-24 · Archived: 2026-04-05 23:00:27 UTC\r\n \r\nI recently came across a cool GitHub repo from Zscaler's ThreatLabz team (see here) which contains a whole\r\narray of ransom notes from known and new ransomware families. I imagine that Zscaler has some sort of malware\r\nhunting capability (potentially LiveHunt YARA rules in VirusTotal) and they manually check for ransom notes\r\nhttps://blog.bushidotoken.net/2023/05/unmasking-ransomware-using-stylometric.html\r\nPage 1 of 7\n\nuploaded to VT containing strings such as \".onion\" to find new and interesting ransomware families. However\r\nthey actually do it, this is a handy repo for the community to use.\r\nThree new ransom notes that Zscaler shared that caught my eye belonged to Shadow, 8BASE, and Rancoz.\r\nTracking new ransomware families can be an interesting task because so many new groups are appearing, it is\r\nhard to tell which ones are worth paying attention to of the literal hundreds of variants out there launching attacks.\r\nThese three stick out, however, due to the presence of the \".onion\" Tor link inside their ransom notes though\r\nbecause that means they have setup custom infrastructure for advanced cyber extortion, such as negotiation\r\nportals, decryption sites, or a data leak site (DLS) to post stolen data if the victim refuses to pay.\r\nhttps://blog.bushidotoken.net/2023/05/unmasking-ransomware-using-stylometric.html\r\nPage 2 of 7\n\nFigure 1: An original Seinfeld meme\r\nhttps://blog.bushidotoken.net/2023/05/unmasking-ransomware-using-stylometric.html\r\nPage 3 of 7\n\nCybercrime intelligence analysts who investigate new ransomware groups should know that it's important to make\r\nnote when new groups appear and try to see if there are any connections to known threat actors. This helps with\r\nintelligence collection efforts and can help analysts decide whether investigating these groups should be a priority.\r\nThere is only a limited amount of time and a limited amount of resources and, unfortunately, so so many\r\nransomware groups. Using the ransom notes we can try to identify similarities to other known ransomware\r\nfamilies.\r\nFigure 2: Ransom Notes\r\nWhat is Stylometry and Stylometric Analysis?\r\nStylometry is the application of the study of linguistic style, usually to written language but it can also be applied\r\nto code and ransom notes. It has also been applied successfully to music, paintings, and chess. We can evaluate an\r\nauthor's style through manual comparisons as well as the application of statistical analysis to a body of their work.\r\nStylometry is often used to attribute authorship to anonymous or disputed documents. To unmask these\r\nransomware group for who they really are, I used a mixture of the text comparison site copyleaks.com and by\r\ndoing it manually.\r\nShadow\r\nAnalysis of Shadow's ransom note, although with some original elements, there are numerous similarities between\r\nit an LockBit3.0's ransom note. We can say with fairly strong accuracy that this is a reskin of the leaked\r\nLockBit3.0 (aka LockBitBlack) builder. There are multiple similarities in the notes that tie these two together. The\r\nwide availability of the leaked builder also makes this overlap a very likely scenario. The Shadow ransom note is\r\navailable in Zscaler's GitHub repo (see here). The LockBit3.0 ransom note is available from PCRisk (see here).\r\nhttps://blog.bushidotoken.net/2023/05/unmasking-ransomware-using-stylometric.html\r\nPage 4 of 7\n\nFigure 3: Comparison between Shadow and LockBit3.0 ransom notes\r\n8BASE\r\nWhen I examined the 8BASE ransom note it also looked familiar. It turned out that it share a ton of similarities to\r\na ransom note from the leaked builder of Babuk ransomware. Again, due to the availability of the Babuk\r\nransomware builder and numerous ransomware groups that use it, this is also a likely scenario. The 8BASE\r\nransom note is available in Zscaler's GitHub repo (see here). The ransom note of the DarkAngel's variant of Babuk\r\nESXi is available from PCRisk (see here).\r\nFigure 4: Comparison of 8BASE and Babuk ESXi ransom notes\r\nhttps://blog.bushidotoken.net/2023/05/unmasking-ransomware-using-stylometric.html\r\nPage 5 of 7\n\nRancoz\r\nRancoz seemed to be a little bit more interesting as Cyble analyzed Rancoz (see here) and shared some technical\r\ninsights. Twitter researcher @F_kZ_ also highlighted the similarities between the Rancoz and 0mega data leak\r\nsites (see here). However, neither mentioned that the ransom note is practically identical to the LockBit3.0 note.\r\nThe Rancoz ransom note is available in Zscaler GitHub repo (see here)\r\nFigure 5: Comparison of Rancoz and LockBit 3.0 ransom notes\r\nConclusion\r\nRansomware research is pretty straight forward these days. These types of cybercriminals prefer templated\r\nattacks, reusing tried and trust TTPs. Now, they do not even need to code their own ransomware or partner with\r\nRaaS groups. There are multiple freely available leaked builders ready for them to use instantly. \r\nLockBit and Babuk provide low skilled and few resourced the immediate ability to attack and ransom large\r\norganizations. There have already been dozens of variants of these two families. Shadow, 8BASE, and Rancoz are\r\nalso not likely to be the last.\r\nMy advice is to keep an eye on these threat actors as eventually they may begin to retool and evolve. While they\r\nare still inexperienced is the best time to try and track them down. Any tips you have to do that are best sent to law\r\nenforcement, as well as groups like The Ransomware Task Force and NoMoreRansom.\r\nhttps://blog.bushidotoken.net/2023/05/unmasking-ransomware-using-stylometric.html\r\nPage 6 of 7\n\nSource: https://blog.bushidotoken.net/2023/05/unmasking-ransomware-using-stylometric.html\r\nhttps://blog.bushidotoken.net/2023/05/unmasking-ransomware-using-stylometric.html\r\nPage 7 of 7\n\n8BASE, By BushidoToken Rancoz     \nPublished: 2023-05-24 · Archived: 2026-04-05 23:00:27 UTC    \nI recently came across a cool GitHub repo from Zscaler's ThreatLabz team (see here) which contains a whole\narray of ransom notes from known and new ransomware families. I imagine that Zscaler has some sort of malware\nhunting capability (potentially LiveHunt YARA rules in VirusTotal) and they manually check for ransom notes\n   Page 1 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.bushidotoken.net/2023/05/unmasking-ransomware-using-stylometric.html"
	],
	"report_names": [
		"unmasking-ransomware-using-stylometric.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434302,
	"ts_updated_at": 1775791256,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3f3a8383b82021df0d8092bc041ad86e439e4178.pdf",
		"text": "https://archive.orkl.eu/3f3a8383b82021df0d8092bc041ad86e439e4178.txt",
		"img": "https://archive.orkl.eu/3f3a8383b82021df0d8092bc041ad86e439e4178.jpg"
	}
}