Investigator Use
ID Ransomware, operated by MalwareHunterTeam, is a free online service that allows victims and security researchers to identify ransomware variants by uploading ransom notes or encrypted file samples. For incident responders, malware analysts, and OSINT investigators tracking cybercriminal groups, ID Ransomware is a critical first-response tool when dealing with ransomware infections.
The service maintains a database of hundreds of known ransomware families, continuously updated as new variants emerge. When a ransom note is uploaded, the system compares it against known templates, payment instructions, cryptocurrency addresses, and distinctive phrasing used by different ransomware groups. Similarly, encrypted file extensions and sample files help narrow down the specific variant.
Identifying the specific ransomware family is critical because different variants have different characteristics: some have known decryption tools available (particularly those where law enforcement has seized decryption keys), others require payment, and some (like wipers disguised as ransomware) have no decryption path at all. ID Ransomware links identified variants to the NoMoreRansom project, which aggregates free decryption tools from law enforcement and security vendors.
For threat intelligence investigators, ransomware identification enables attribution research. Once a variant is identified, investigators can research the associated criminal group, their known tactics, cryptocurrency wallets used for payments, and any law enforcement actions taken against them. This intelligence supports reporting to authorities and helps organizations understand their attacker.
The platform also accepts new submissions to help identify unknown variants, contributing to the community's knowledge base. When a new ransomware sample cannot be identified, submitting it may prompt security researchers to analyze and catalog it.
Limitations include coverage gaps for very new or highly customized ransomware. Some sophisticated actors modify known ransomware code substantially to evade identification. For these cases, manual analysis by a malware analyst may be required.
Document the identified variant name, detection confidence, and any linked decryption resources in incident response reports. Never submit files containing sensitive personal or corporate data without removing it first.
Before You Pivot
Record Context
Capture the target, search terms, and why this source is relevant before you leave the page.
Preserve Evidence
Archive volatile pages, save screenshots, and keep timestamps for anything that may change.
Corroborate
Treat one tool as a lead source. Confirm important findings with independent sources.
Related Tools
CVE
Cyber Threat OSINT
CVE provides standardized vulnerability identifiers and references used in security research, triage, and threat intelligence workflows.
CVE Details
Cyber Threat OSINT
CVE Details aggregates vulnerability records, CVSS scores, and affected software lists for security analysis and patch prioritization.
Default Passwords
Cyber Threat OSINT
Find default passwords and credentials for routers, printers, servers, and network devices for authorized security auditing.
Exploit DB
Cyber Threat OSINT
The Exploit Database archives public exploits and proof-of-concept code for known vulnerabilities, used in penetration testing and research.
Honey DB
Cyber Threat OSINT
HoneyDB aggregates honeypot sensor data to identify malicious IP addresses, attacker tactics, and emerging threat patterns.
Hybrid analysis
Cyber Threat OSINT
Hybrid Analysis provides free malware sandboxing with Falcon Sandbox technology to analyze suspicious files and URLs for threat intelligence.