ransomware-acme-corp — reference investigation

what this proves

• every primary engine produces deterministic, fixture-locked output — verified by npm run check:flagship (8/8).
• every output is generated 100% locally in your browser — no upload, no server-side processing of your evidence.
• the full case binder is built from these outputs without uploading a single byte — click below to generate it locally.

primary engines locked to this fixture

• encryption-onset-timer
• ransomware-staging-detector
• lateral-movement-chain-visualizer
• backup-deletion-artifact-analyzer
• mass-rename-detector
• crypto-ransom-note-parser
• ransomware-family-identifier
• double-extortion-evidence-collector

build the case binder

one click runs all eight primary engines on the synthetic evidence, assembles findings into a self-contained html binder, and opens it in a new tab. print to pdf from there — still zero upload.

download the synthetic evidence

MIT-licensed, fully synthetic, safe to attach to a PR or send to a reviewer. Compare your local runs against the published goldens.

built deterministically from scripts/fixtures/build-ransomware-acme-corp.mjs. seed: ransomware-acme-corp:v1.

methodology

ransomware response is not “malware response.” the first 48 hours are about scoping, finding patient-zero, and preserving evidence before the actor wipes logs. start with the encryption onset timer, then walk the staging → lateral → backup → rename → note → family → exfil path. read the full ransomware response guide →

after the playbook

run each primary locally — or export findings from the binder — then drop every csv/json into fatcousin-multi-tool-super-timeline-correlator. one timestamp-sorted timeline across encryption onset, staging, lateral movement, and exfil — still zero upload.