drop encrypted file sample + ransom note + initial-access evidence · run identification + family attribution + payment options dossier · runs locally
encrypted sample · ransom note · ioc export · local only
heuristic screener · vendor schema varies · not definitive proof