fatcousin
// case comparison

ransomware vs insider threat

SOC sees data loss and abnormal file activity. case A is ransomware-response: encryption onset, lateral movement, backup deletion, and ransom-note artifacts. case B is insider-threat: sustained access-anomaly, peer-group outlier, and DLP exfil over days or weeks. wrong call triggers encryption-onset-timer and ransomware-staging-detector when you need insider-threat-indicator-scorer — or treats a departing employee's gradual cloud-share leak as a patient-zero malware event.

primary tools · side by side

ordered entry points from the case-type taxonomy. highlighted rows appear in both case types' editorial tool lists.

case a

ransomware response

encryption onset → lateral movement → exfil → ransom note. the first 48 hours are about scoping, finding patient-zero, and preserving evidence before the actor wipes logs.

  1. 01ransomware encryption onset timerdrop mft csv and evtx csv · pinpoint the exact moment encryption began · identify patient zero file · work backward to find initial access · correlate with attacker actions · runs locally
  2. 02ransomware pre-encryption staging detectordrop evtx csv and mft csv · identify pre-encryption staging behaviors · network scanning · credential dumping · data exfiltration before encryption · lateral movement artifacts · runs locally
  3. 03ransomware family identifierdrop encrypted file samples · ransom notes · iocs · fingerprint against 200+ families · output family name · known decryptors · nomoransom hints · extension patterns · c2 patterns · runs locally
  4. 04ransom note analyzerpaste or drop ransom notes · 55+ family fingerprints · crypto addresses · onion urls · emails · nomoreransom hints · highlighted text · runs locally
  5. 05double extortion evidence collectordrop mft csv · evtx csv · proxy logs · identify data staging directories · compression artifacts · cloud upload indicators · estimate what data was stolen before encryption · runs locally
  6. 06lateral movement chain visualizerdrop evtx csvs · link logon service creation and remote execution events · reconstruct multi-hop chains · runs locally
  7. 07backup deletion artifact analyzerdrop evtx csvs and vss registry exports · parse deliberate backup deletion across windows backup · veeam artifacts · backup exec artifacts · correlate with ransomware timeline · runs locally
  8. 08mass rename detectordrop a file listing or dir output · detect bulk renames within short time windows · flag ransomware extension patterns · visualize rename timeline · export CSV · runs locally
case b

insider threat / data exfiltration

departing employee, IP theft, USB exfil, cloud-share leak. evidence patterns: access-anomaly + peer-comparison + after-hours activity.

  1. 01insider threat behavioral indicator scorerdrop multiple forensic artifact csvs for a specific user · score against published insider threat behavioral indicators · data staging · unusual access · policy violations · communication patterns · produce risk profile · runs locally
  2. 02data access pattern anomaly detectordrop file access logs or security evtx with object access events · compute per-user access baselines · detect bulk access · off-hours access · cross-department access · unusual file type access · statistical outlier sessions · runs locally
  3. 03peer group statistical outlier analyzerdrop artifact sets for multiple users · compute per-user feature vectors · identify statistical outliers · surface the user whose behavior differs most from their peers · peer comparison charts · runs locally
  4. 04time-of-day activity fingerprinterdrop logon evtx csv or activity logs for a user · build 24-hour activity fingerprint · compare two time periods · chi-squared test for pattern change · detect when a different person used the account · account sharing detection · runs locally
  5. 05user behavior baseline profilerdrop months of logon evtx csvs or auth log exports · build statistical baseline per user · active hours · session duration · machine affinity · flag any session that deviates significantly from that user's normal pattern · runs locally
  6. 06copy-paste behavior and data lineage tracerdrop clipboard history exports · lnk file access times · recently opened files csvs · correlate what was copied from where and pasted where · trace data lineage across applications · build evidence of deliberate data extraction · runs locally
  7. 07user workstation affinity mapperdrop months of 4624 logon evtx csv · build statistical profile of which user uses which machine · compute affinity scores · flag when a user logs into an unusual machine · detect account takeover by changed workstation usage · runs locally
  8. 08credential to lateral movement tracerdrop credential dumping evidence csvs · logon event csvs · admin share access · service install events · trace a specific credential from dump through use and propagation across systems · reconstruct the attack chain · runs locally

editorial overlap

3 tools mapped to both case types in the editorial taxonomy — useful when the investigation spans both surfaces.
credential to lateral movement tracerfatcousin cross export ioc hash correlatorfatcousin multi tool super timeline correlator

lean toward…

disambiguation signals derived from case-type descriptions and common practitioner confusion points.

lean toward ransomware if you see…

  • mass file encryption, rename burst, or encryption-onset timer on endpoint
  • shadow-copy deletion, ransomware note, or double-extortion exfil manifest
  • lateral-movement chain to multiple hosts — not longitudinal UEBA elevation on one identity alone

lean toward insider threat if you see…

  • gradual peer-group outlier or after-hours access spike over weeks before any encryption event
  • cloud-share DLP hits or copy-paste bursts on sensitive repos without mass encryption on workstation
  • insider-threat-indicator-scorer elevation without ransomware-family or backup-deletion artifacts
ready