Ransomware containing embedded Child Sexual Abuse Material (CSAM) is an increasingly common problem for online child sexual exploitation investigators and examiners. The identification of malware on a device which contains embedded CSAM opens the door for a defense of “the malware did it”. This webinar will present a case study of a limited-scope examination of CSAM ransomware identified on an android device.