fatcousin
// case comparison

ransomware vs cryptojacking

security sees endpoint CPU spike, suspicious DNS, and scheduled-task persistence. case A is ransomware-response: encryption onset, backup deletion, lateral movement, and double-extortion staging. case B is cryptojacking: unauthorized miner workload, pool traffic, and beaconing without file-encrypting payload. wrong call sends you to encryption-onset-timer and ransomware-family-identifier when you need process-tree and beaconing analysis — or vice versa, missing encryption onset while chasing pool domains.

primary tools · side by side

ordered entry points from the case-type taxonomy. highlighted rows appear in both case types' editorial tool lists.

case a

ransomware response

encryption onset → lateral movement → exfil → ransom note. the first 48 hours are about scoping, finding patient-zero, and preserving evidence before the actor wipes logs.

  1. 01ransomware encryption onset timerdrop mft csv and evtx csv · pinpoint the exact moment encryption began · identify patient zero file · work backward to find initial access · correlate with attacker actions · runs locally
  2. 02ransomware pre-encryption staging detectordrop evtx csv and mft csv · identify pre-encryption staging behaviors · network scanning · credential dumping · data exfiltration before encryption · lateral movement artifacts · runs locally
  3. 03ransomware family identifierdrop encrypted file samples · ransom notes · iocs · fingerprint against 200+ families · output family name · known decryptors · nomoransom hints · extension patterns · c2 patterns · runs locally
  4. 04ransom note analyzerpaste or drop ransom notes · 55+ family fingerprints · crypto addresses · onion urls · emails · nomoreransom hints · highlighted text · runs locally
  5. 05double extortion evidence collectordrop mft csv · evtx csv · proxy logs · identify data staging directories · compression artifacts · cloud upload indicators · estimate what data was stolen before encryption · runs locally
  6. 06lateral movement chain visualizerdrop evtx csvs · link logon service creation and remote execution events · reconstruct multi-hop chains · runs locally
  7. 07backup deletion artifact analyzerdrop evtx csvs and vss registry exports · parse deliberate backup deletion across windows backup · veeam artifacts · backup exec artifacts · correlate with ransomware timeline · runs locally
  8. 08mass rename detectordrop a file listing or dir output · detect bulk renames within short time windows · flag ransomware extension patterns · visualize rename timeline · export CSV · runs locally
case b

cryptojacking

unauthorized miner on endpoint / cloud workload — CPU/GPU baseline drift + persistence + outbound pool traffic.

  1. 01process tree rebuilderdrop a memory dump · scan EPROCESS pool tags · reconstruct parent/child process tree · flag orphaned and suspicious chains · export CSV · runs locally
  2. 02memory pe extractordrop a memory dump · scan for PE headers · carve embedded executables · rebuild PE structure · download extracted files · runs locally
  3. 03memory entropy analyzermemory dump · shannon entropy per block · heatmap · high-entropy regions · hex dump · csv + png export · runs locally
  4. 04in-memory malware configuration extractordrop process memory dump · xor decode json xml config blocks · c2 ip port campaign mutex extraction · multi-technique local scan · runs locally
  5. 05network beaconing detectordrop connection logs or PCAP · statistical analysis of connection intervals per host · jitter detection · C2 beaconing patterns · periodic callback identification · export CSV · runs locally
  6. 06beaconing pattern detectordrop pcap or zeek conn log · periodic c2 beacon intervals · regularity and jitter scores · export csv · runs locally
  7. 07dns query analyzerdrop a PCAP or paste DNS log · extract queries · detect DGA patterns · DNS tunneling · high-frequency domains · suspicious TLDs · export CSV · runs locally
  8. 08c2 callback interval analyzerdrop pcap or zeek conn log · deep interval stats · c2 framework timing profiles · jitter estimation · export csv · runs locally

editorial overlap

2 tools mapped to both case types in the editorial taxonomy — useful when the investigation spans both surfaces.
fatcousin cross export ioc hash correlatorfatcousin multi tool super timeline correlator

lean toward…

disambiguation signals derived from case-type descriptions and common practitioner confusion points.

lean toward ransomware if you see…

  • mass file rename or encryption-onset timer artifacts on the endpoint
  • shadow-copy deletion, volume-shadow disable, or backup-deletion burst in Windows event logs
  • ransom note, staging folder, or double-extortion exfil manifest — not pool-domain beaconing alone

lean toward cryptojacking if you see…

  • sustained high CPU/GPU with miner process tree and memory-entropy spike — no mass encryption event
  • outbound connections to mining pool domains or C2 beacon interval without file-encrypting payload
  • persistence via scheduled task or registry autorun for miner binary — no lateral-movement chain to domain controllers
ready