Full Report
IntroductionThe Ransomware Tool Matrix continues to be a useful passion project that I am happy to continue maintaining. One piece of common feedback I've received for the Ransomware Tool Matrix was that individuals would like to contribute their observations to it, but do not have public links they can cite (such as a formal blog post on a company website). Therefore, I came up with a plan to make a reporting template to help with this.What are Community Reports?Individuals can now share what tools they have seen various ransomware groups, affiliates, or initial access brokers (IABs) use via the new Community Report Template. The level of detail provided is the contributor's choice. The more verifiable information shared, the increased level of reliability and credibility.You can view the current list of Community Reports on GitHub here.Why the need for Community Reports?Most of the sources of CTI about ransomware TTPs comes from open source reports by organisations such as the US Cybersecurity and Infrastructure Security Agency (CISA), The DFIR Report, and other cybersecurity vendors. From the beginning it was important to recognise the importance of the having public citations by reputable organisations to maintain the reliability and credibility of the resource overall. Consumers of the Ransomware Tool Matrix should feel confident that the information provided is of high standard and legitimate.The problem was, however, that members of the cybersecurity community who may work with victims of ransomware attacks also have information about what tools which ransomware group uses. The sources of this information could come from various sources, such as from Digital Forensics and Incident Response (DFIR) service providers, Managed Security Service Providers (MSSPs), Endpoint Detection and Response (EDR) vendors, or security researchers who manage to obtain threat intelligence about ransomware groups via various other means, such as infiltrating cybercrime forums or open directory hunting.These sources of information did not currently have a way to contribute to the Ransomware Tool Matrix due to the missing factor of a publicly citable blog.How do Community Reports work?Members of the Community with information and tools used by ransomware groups can now share their observations via a structured report template shown below.Whether to include all the details here is up to the contributor, but this type of reporting system is an option for community members to share their findings with the rest of the community who are interested in this information.Anyone who wants to submit a Community Report can copy the code, edit in their findings, and submit a pull request to the GitHub repository. Alternatively, they can fork the project and then I can merge their commits to the main branch. More details about how to creating a pull request from a fork can be found in the GitHub's Docs here.ConclusionOne of the problems of cybersecurity vendor blogs is that a lot of them are marketing material and therefore, details about every ransomware incident a company worked on is not great marketing. However, as CTI analysts, incident responders, threat hunters, and detection engineers, these details are crucial for our day-to-day lives. Hence why the Community Report system was one of the most common pieces of feedback I received and why I created it.I look forward to the contributions from the community to this new reporting system and hope it helps many more who are keen to see and read about what the latest tools are that the ransomware cybercriminals are using.
Analysis Summary
This article primarily describes a meta-update to the "Ransomware Tool Matrix," specifically the introduction of "Community Reports" aimed at allowing security professionals to contribute observed threat intelligence without needing a public citation. The article does not detail specific malware, tools, or TTPs directly; rather, it explains the *mechanism* for collecting that information.
Since the context provided is about the *mechanism* for data collection rather than a specific tool's technical details, the summary below focuses on the concept introduced (Community Reports) and generalized concepts mentioned (Ransomware Tools Matrix, IABs, Ransomware Groups).
# Tool/Technique: Ransomware Tool Matrix Community Reports
## Overview
The "Community Reports" feature is a newly established mechanism designed to allow members of the cybersecurity community (such as DFIR providers, MSSPs, EDR vendors, and researchers) to contribute observations about tools used by ransomware groups, affiliates, and Initial Access Brokers (IABs) directly to the public "Ransomware Tool Matrix" repository on GitHub. This addresses the limitation where valuable, real-world telemetry could not be shared publicly due to contributors lacking citable blog posts.
## Technical Details
- Type: Framework/Procedure (Data Collection Methodology)
- Platform: Not applicable (This is a reporting system)
- Capabilities: Structured sharing of threat intelligence regarding ransomware ecosystem tooling. Enables non-publicly citable observations to be aggregated and shared within the community framework.
- First Seen: September 13, 2025 (Date of announcement)
## MITRE ATT&CK Mapping
As this is a data collection *methodology* rather than a specific offensive capability, direct mapping is difficult. However, the goal is to capture intelligence related to the following categories:
- TA0011 - Collection
- T1560 - Archive Collected Data (If artifacts from tool usage are being shared)
- TA0005 - Defense Evasion
- T1218 - Signed Binary Proxy Execution (If tools being reported utilize LOLBins)
## Functionality
### Core Capabilities
- Allows community members to document observations of ransomware-related tools with variable levels of detail using a structured GitHub template.
- Provides an alternative contribution path outside of traditional, vendor-backed blog posts.
### Advanced Features
- Facilitates the leveraging of high-fidelity, on-the-ground intelligence derived from DFIR engagements, often faster or more specific than vendor reports.
- Designed to enhance the overall reliability and comprehensiveness of the Ransomware Tool Matrix.
## Indicators of Compromise
No specific, newly observed IOCs are provided in this announcement, as the content focuses on the reporting structure.
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A
- Behavioral Indicators: N/A
## Associated Threat Actors
The system is designed to collect intelligence on:
- Ransomware Groups
- Ransomware Affiliates
- Initial Access Brokers (IABs)
## Detection Methods
N/A (This section relates to detecting the *tools* being reported, not the reporting system itself.)
## Mitigation Strategies
N/A (This section relates to mitigating the *malware/tools* being reported, not the reporting system itself.)
## Related Tools/Techniques
- Ransomware Tool Matrix (The core project being updated)
- Cybercrime Forums Tactics (Implied source of original intelligence that now has a formal reporting path)