fatcousin
// case comparison

ransomware vs BEC

both can hit finance and email — but ransomware leaves encryption and lateral-movement artifacts; BEC is wire fraud via impersonated threads.

primary tools · side by side

ordered entry points from the case-type taxonomy. highlighted rows appear in both case types' editorial tool lists.

case a

ransomware response

encryption onset → lateral movement → exfil → ransom note. the first 48 hours are about scoping, finding patient-zero, and preserving evidence before the actor wipes logs.

  1. 01ransomware encryption onset timerdrop mft csv and evtx csv · pinpoint the exact moment encryption began · identify patient zero file · work backward to find initial access · correlate with attacker actions · runs locally
  2. 02ransomware pre-encryption staging detectordrop evtx csv and mft csv · identify pre-encryption staging behaviors · network scanning · credential dumping · data exfiltration before encryption · lateral movement artifacts · runs locally
  3. 03ransomware family identifierdrop encrypted file samples · ransom notes · iocs · fingerprint against 200+ families · output family name · known decryptors · nomoransom hints · extension patterns · c2 patterns · runs locally
  4. 04ransom note analyzerpaste or drop ransom notes · 55+ family fingerprints · crypto addresses · onion urls · emails · nomoreransom hints · highlighted text · runs locally
  5. 05double extortion evidence collectordrop mft csv · evtx csv · proxy logs · identify data staging directories · compression artifacts · cloud upload indicators · estimate what data was stolen before encryption · runs locally
  6. 06lateral movement chain visualizerdrop evtx csvs · link logon service creation and remote execution events · reconstruct multi-hop chains · runs locally
  7. 07backup deletion artifact analyzerdrop evtx csvs and vss registry exports · parse deliberate backup deletion across windows backup · veeam artifacts · backup exec artifacts · correlate with ransomware timeline · runs locally
  8. 08mass rename detectordrop a file listing or dir output · detect bulk renames within short time windows · flag ransomware extension patterns · visualize rename timeline · export CSV · runs locally
case b

business email compromise (BEC)

vendor impersonation · payroll redirect · wire fraud · spoofed reply chains. evidence is almost always email headers, mailbox rules, and login telemetry.

  1. 01email header analyzerpaste raw email headers · trace hop-by-hop routing · SPF · DKIM · DMARC · detect spoofing · visualize delivery path · runs locally
  2. 02email thread reconstructordrop multiple .eml files · Message-ID References In-Reply-To tree · missing parent flags · flat timeline · CSV export · runs locally
  3. 03.eml / .msg email header chain analyzerdrop eml or msg email file or paste raw headers · parse all headers · reconstruct the full routing chain · extract all forensically significant fields · surface inconsistencies in the header chain · runs locally
  4. 04email spoofing and SPF/DKIM/DMARC header validatorpaste raw email headers or drop eml file · validate authentication headers · detect spoofing indicators · surface spf dkim and dmarc results · identify header inconsistencies indicating spoofed or forged email · runs locally
  5. 05received header hop analyzerpaste raw email headers or drop eml · parse all received headers · reconstruct smtp routing path hop by hop · compute per-hop timing · surface anomalous delays private ips and inconsistent hostnames · runs locally
  6. 06mailer and email client fingerprint identifierdrop eml files or paste headers · identify the email client or service that sent the message · detect inconsistencies between claimed and actual mailer · surface forged x-mailer headers and mailer fingerprint mismatches · runs locally
  7. 07email impersonation pattern detectordrop multiple eml files or paste headers · detect display name spoofing domain lookalikes and reply-to hijacking · identify impersonation patterns targeting specific individuals or organizations · surface BEC and CEO fraud indicators · runs locally
  8. 08mail rule parserdrop Outlook rules.dat or Thunderbird msgFilterRules.dat · rule names conditions actions · flag suspicious forward redirect · CSV export · runs locally

editorial overlap

2 tools mapped to both case types in the editorial taxonomy — useful when the investigation spans both surfaces.
fatcousin cross export ioc hash correlatorfatcousin multi tool super timeline correlator

lean toward…

disambiguation signals derived from case-type descriptions and common practitioner confusion points.

lean toward ransomware if you see…

  • mass file encryption, rename bursts, or shadow-copy deletion on endpoints
  • ransom note, staging folders, or double-extortion exfil manifest
  • lateral movement and backup-deletion artifacts in Windows event logs

lean toward BEC if you see…

  • fraudulent wire or payroll request delivered via email thread
  • no encryption artifacts on endpoints — only mailbox and header anomalies
  • vendor impersonation with spoofed reply chain but no malware deployment
ready