// Malware Analysis

Malware Analysis & Reverse Engineering

Understanding what the malware did is not optional — it defines your remediation scope, your notification obligations, and your legal exposure. We reverse-engineer the threat so you respond with precision, not assumption.

Written by Simon Lynge, Director DFIR — ChCSP, CREST IR | Last updated: March 2026

< 1 Hour Response Global DFIR Specialists 24/7 Support
Get SupportAll Services

All Services

IR Retainer Incident Response Digital Forensics Malware Analysis Ransomware Negotiations Dark Web Monitoring Dark Web Data Recovery Tabletop Exercises Security Assessments Threat Intelligence Cyber Insurance Support M&A Cyber Due Diligence Professional Speaking Expert Witness Services Breach Notification Support

Why Malware Analysis Matters

When ransomware encrypts your files, a loader drops a RAT, or a phishing email delivers a credential stealer, the artefact left behind contains a complete record of what happened. Most incident responses stop at containment and recovery — without answering the questions that determine legal and regulatory liability:

  • What data did the malware access, exfiltrate, or destroy?
  • How long was it present before detection?
  • What credentials or systems did it compromise?
  • Is this a known threat actor, and what do we know about their next moves?
  • Is there a secondary implant we haven't found yet?

Without these answers, you are remediating blind, making notification decisions on assumptions, and facing regulatory or legal exposure that could have been avoided.

Our Analysis Capability

Static Analysis

We examine malware without executing it — dissecting its structure, embedded strings, imported libraries, obfuscation techniques, and code logic. Static analysis identifies:

  • File type, packer, and obfuscation identification
  • Embedded IOCs — C2 domains, IP addresses, registry keys, file paths
  • Functionality mapping — what the code is designed to do
  • Code similarity and attribution to known malware families
  • Cryptographic routines — relevant for ransomware decryption assessment

Dynamic Analysis

We detonate malware in isolated environments to observe its real-world behaviour — what it does when it runs, not just what its code suggests:

  • Process execution and injection behaviour
  • File system and registry modifications
  • Network communications — C2 beaconing, data exfiltration channels
  • Persistence mechanisms and lateral movement capability
  • Anti-analysis evasion technique identification
  • Data access and staging behaviour

Ransomware-Specific Analysis

For ransomware incidents, malware analysis tells you whether decryption is feasible without payment, validates that a threat actor's decryptor works before payment, and builds the technical evidence base for insurance claims and regulatory notifications:

  • Encryption algorithm and key management analysis
  • Decryptor validation — testing against small encrypted sample sets before full deployment
  • Data exfiltration scope — identifying what was staged and transmitted before encryption
  • Affiliate and RaaS family attribution

Threat Attribution

We map the malware against known threat actor TTPs, malware families, and infrastructure patterns — identifying who is likely responsible, what their typical objectives are, and whether further activity is expected. Attribution findings are caveated appropriately and structured for use in legal proceedings where required.

Deliverables

  • Technical malware report — full analysis findings, methodology, and IOC list suitable for legal proceedings and regulatory submissions
  • Executive summary — plain-language findings for board, legal, and insurer audiences
  • IOC package — machine-readable indicators for deployment to your security tooling
  • Remediation guidance — specific actions required based on confirmed malware capability, not assumed worst-case
  • Decryptor validation report — for ransomware cases where payment is under consideration

Standalone or Integrated

Malware analysis works as a standalone service — where you have artefacts from a previous incident and need answers — or as part of a live incident response where samples are collected and analysed in parallel. Findings feed directly into remediation scoping, breach notification decisions, and insurance claims.

If you have recovered malware samples and need to understand what they did, contact us. Turnaround for initial findings is typically 24–48 hours from sample receipt.

Need Malware Analysed?

Send us the samples. We'll tell you exactly what you're dealing with.

Contact Us

Frequently Asked Questions

What types of malware do you analyse?

We analyse all malware families — ransomware, remote access trojans (RATs), information stealers, rootkits, wipers, cryptominers, botnet agents and custom implants. We handle samples from Windows, Linux, macOS and mobile platforms.

What do I get from a malware analysis report?

Our reports include: malware classification and family identification, static and dynamic behaviour analysis, network indicators (C2 domains, IPs, protocols), file system indicators (IOCs), persistence mechanisms, lateral movement capabilities, and actionable detection rules (YARA, Sigma, Snort).

Can you analyse malware found during an active incident?

Absolutely — and this is one of our most common use cases. During active incidents, rapid malware analysis helps us understand attacker capabilities, identify all compromised systems, and develop targeted containment and eradication strategies.

How long does malware analysis take?

Initial triage (malware family identification, key IOCs) is typically available within 4-8 hours. A full deep-dive analysis with detailed reporting takes 2-5 business days depending on malware complexity and obfuscation.

Related Insights

🚨 Active Incident? Contact Us Now