"You can find them yourself on the internet!" In my best dream ever, I can imagine Tobias responding with, "So are you regretting your decision to retire RSA in favor of a flawed implementation of ECC?"
@jintz29 ай бұрын
Typical Mastodon user.
@elmo2you9 ай бұрын
To me it sounded like the audience member either has a nasty personality disorder, or some considerable (personal) animosity and/or arrogance driving those statements. Anyone knows more about what was going on there? Maybe just a disgruntled anonymous soul (be that legitimately or not), but to me it felt like there was much more going on there than just the words spoken.
@effsixteenblock509 ай бұрын
@@elmo2you The audience member sounded like she was implying that since the ransomware actor had again changed encryption schemes (unconfirmed?), that Tobias's presentation was a "nothing-burger" and that she was somehow "exposing" him. Whether or not the actor did in fact do what she alleges, she is wrong.
@sfdntk9 ай бұрын
@@elmo2you I reckon she's just on the spectrum and isn't intentionally coming across as confrontational, conferences like these (and the industry as a whole) naturally attract a lot of neurodivergent people. One of the ways that ASD can present itself is the inability to detect or emulate tone in conversation, some people on the spectrum can come across as far ruder than they intend to be without realising it. Obviously we have no way of knowing if that's the case for this particular woman, maybe she feels like her time was wasted and she's annoyed about it, but I think we should give her the benefit of the doubt and not jump to any solid conclusions about her intent.
@JamesBos9 ай бұрын
Huge respect to Tobias and co for releasing this. They could have made a motza holding this close to their chest. ❤️
@ewookiis8 ай бұрын
It's been ages since this was not already in the public domain on how to approach it. The nitty gritty is not always needed - the better part is _how_ to act if it happens - and before that - always - always ensure a sound level of sanity (security / compliance etc etc..) in environments.
@dascandy8 ай бұрын
Hoping Tobias reads the youtube comment section... if you have an encrypted file that is likely to contain blocks of pure zeroes - heck, even a MKV file typically contains at least 2kB of zeroes, and no other blocks of 64-bytes that are commonly present in the file - you should be able to scan through the file to find the most common block at those offsets, and xor each of them with that block, to decrypt any such file. Would even work if it were encrypted multiple times as long as each of the encryption steps was using the same kind of broken software. With regards to file formats specifically, most file formats storing "large" files prefer to have a header describing the start of the file, and the remainder in chunks that are often aligned on page boundaries. That means that you're likely to find chunks of an average of 2kB of zero bytes or 0xFF bytes with padding. Executables, shared libraries, movie file formats, music file formats all do this. Image file formats don't, sadly, so there might be something doable with predefined knowledge of the file format. You don't want to be brute forcing, but you can definitely use different fixed-offset chunks that contain different parts of the "key".
@TheSlimHim9 ай бұрын
This is amazing! I wonder if they will take on the phobos decryption project going on?
@magicmulder9 ай бұрын
Assuming the ransomware peeps would actually honor their pledge to decrypt when they’re paid, how do *they* know which key to use for which file? It’s not really feasible for them to phone all keys home after all.
@TobiKellner9 ай бұрын
At around 11:50 he talks about every victim getting their own file extension. Presumably that extension and/or the "Login ID" in the ransom instructions .txt somehow contain the key in an encoded form?
@effsixteenblock509 ай бұрын
Remember that copies of the files are exfilled to the actor's own infrastructure. I'm sure that the key and other relevant data is as well.
@debug_duck9 ай бұрын
It is fairly easy to derive unique per-file encryption keys from a common secret, which can then be used as single-point to unlock all files. That is undoubtly what they are doing with the extension and/or the extra bytes in the files.
@tomt76219 ай бұрын
Genialer interessanter talk ich liebe dieses Jahr die Konferenz mit fast jedem talk mehr, mir fehlt nur noch: Ein talk von David Kriesel Eine Erklärung warum ein talk von einem deutschen auf einer deutschen Konferenz auf englisch gehalten wird. Again another great ccc this year. There are so many Talks i enjoied. I also love this talk. I dont know why, but i even enjoy the ccc Talks more then some of the las vegas conferences... But why is this talk in english? Obviously you can reach way more people by talking in english and i'm really happy Talks in other languages are Part of the ccc conferences and that some angels translate the Talks... But why are some Talks from germans at a german conferences are hold originally in english? My 7 year old son watches sometimes the Talks together with me and the reason he enjoys ccc more then Black hat or defcon is the german language.
@FunctionGermany9 ай бұрын
i guess because certain topics like this one are likely interesting to audiences with other languages. in one graph you can see that while this ransomware is one of the most used in germany, it is also used a lot in other countries. part of the mission of this talk is to spread the message about this decryptor being available as well as educating about preventative measures and using english helps in this case.
@StuartWoodwardJP9 ай бұрын
At a conference like the CCC a huge part of the event is actually being there and the presenters only get one chance a year on the main stage to present their work. Presentations go on from 8AM to Midnight in some conferences and if they had an additional day or extra stages the schedule would still be full of people wanting to present. However increases in the number of stages dilutes the attendance and creates logistical problems and increases to the length of the conference reduces the quality. So at a certain point a line is drawn and the results are what we see. Even if a presenter wanted to present in multiple languages there isn't the time or opportunity. However, I would suggest that if you find an interesting talk that you would like to hear in German then contact the speaker, they may already have given the talk locally, or might do so as a result of your request. They might even record it for you.
@DanielMüller-x8s9 ай бұрын
Imagine they would use the key for every file for performance reasons. That would be lolz. Anyways huge thumbs for this effort. If any client is virtualized you can recover almost everything. Wow.
@deanvangreunen64579 ай бұрын
Talk starts at 12:00
@frogz9 ай бұрын
somewhere somebody in a foreign language: RATS, NOW HOW AM I SUPPOSED TO MAKE MONEY? thank you whoever reverse engineers things, especially for the betterment of fellow humans
@aaronr.96449 ай бұрын
If we know their bitcoin addresses, wouldn't it be possible to blacklist them such that miners would not add these transactions to new blocks? Gone are the days of people mining at home. Mining has become big business requiring large investments. I assume it is much easier to reach the miners then the criminals. Wouldn't it be worthwhile to try and blacklist these addresses?
@loeffel9998 ай бұрын
Nothing stops them to create new bc wallets all the time.
@oneinanull549821 күн бұрын
You would need more than 50% of nodes on the network to negotiate a hard fork. The blockchain is a read only ledger that uses distributed computing to verify each block. Getting a 50% majority is mostly impossible. Eth actually did something similar a long time ago (Etherium classic is the original chain) after someone found a bug that let them basically steal a bunch of eth out of other accounts. But any fork of the chain is a fundamental disagreement on which ledger, aka which coin, to follow. So tldr: no
@trungkiennguyen76559 ай бұрын
Interesting, the malware is using best practice according to payment practices (separate Cipher Object for each chunk) Definitely could have been made faster, and even harder for researchers to analyze, if they used the same cipher for all chunks (state-based) The author must have experience working in payment services (e.g bank)
@4crafters5979 ай бұрын
This means they restart the encryption in code per block? Or am I misunderstanding?
@DavidCosta859 ай бұрын
another idea. this is fun. what about recovering and cracking encrypted files get the original file and then mine it and encrypted again with another algorithm
@zxcvb_bvcxz9 ай бұрын
did ChatGPT write this?
@DavidCosta859 ай бұрын
can't we just remove the formula from the encrypted file checking for patterns and approximations in files in different computers