37C3 - Unlocked! Recovering files taken hostage by ransomware

  Рет қаралды 21,627

media.ccc.de

media.ccc.de

Күн бұрын

Пікірлер: 33
@effsixteenblock50
@effsixteenblock50 9 ай бұрын
"You can find them yourself on the internet!" In my best dream ever, I can imagine Tobias responding with, "So are you regretting your decision to retire RSA in favor of a flawed implementation of ECC?"
@jintz2
@jintz2 9 ай бұрын
Typical Mastodon user.
@elmo2you
@elmo2you 9 ай бұрын
To me it sounded like the audience member either has a nasty personality disorder, or some considerable (personal) animosity and/or arrogance driving those statements. Anyone knows more about what was going on there? Maybe just a disgruntled anonymous soul (be that legitimately or not), but to me it felt like there was much more going on there than just the words spoken.
@effsixteenblock50
@effsixteenblock50 9 ай бұрын
@@elmo2you The audience member sounded like she was implying that since the ransomware actor had again changed encryption schemes (unconfirmed?), that Tobias's presentation was a "nothing-burger" and that she was somehow "exposing" him. Whether or not the actor did in fact do what she alleges, she is wrong.
@sfdntk
@sfdntk 9 ай бұрын
@@elmo2you I reckon she's just on the spectrum and isn't intentionally coming across as confrontational, conferences like these (and the industry as a whole) naturally attract a lot of neurodivergent people. One of the ways that ASD can present itself is the inability to detect or emulate tone in conversation, some people on the spectrum can come across as far ruder than they intend to be without realising it. Obviously we have no way of knowing if that's the case for this particular woman, maybe she feels like her time was wasted and she's annoyed about it, but I think we should give her the benefit of the doubt and not jump to any solid conclusions about her intent.
@JamesBos
@JamesBos 9 ай бұрын
Huge respect to Tobias and co for releasing this. They could have made a motza holding this close to their chest. ❤️
@ewookiis
@ewookiis 8 ай бұрын
It's been ages since this was not already in the public domain on how to approach it. The nitty gritty is not always needed - the better part is _how_ to act if it happens - and before that - always - always ensure a sound level of sanity (security / compliance etc etc..) in environments.
@dascandy
@dascandy 8 ай бұрын
Hoping Tobias reads the youtube comment section... if you have an encrypted file that is likely to contain blocks of pure zeroes - heck, even a MKV file typically contains at least 2kB of zeroes, and no other blocks of 64-bytes that are commonly present in the file - you should be able to scan through the file to find the most common block at those offsets, and xor each of them with that block, to decrypt any such file. Would even work if it were encrypted multiple times as long as each of the encryption steps was using the same kind of broken software. With regards to file formats specifically, most file formats storing "large" files prefer to have a header describing the start of the file, and the remainder in chunks that are often aligned on page boundaries. That means that you're likely to find chunks of an average of 2kB of zero bytes or 0xFF bytes with padding. Executables, shared libraries, movie file formats, music file formats all do this. Image file formats don't, sadly, so there might be something doable with predefined knowledge of the file format. You don't want to be brute forcing, but you can definitely use different fixed-offset chunks that contain different parts of the "key".
@TheSlimHim
@TheSlimHim 9 ай бұрын
This is amazing! I wonder if they will take on the phobos decryption project going on?
@magicmulder
@magicmulder 9 ай бұрын
Assuming the ransomware peeps would actually honor their pledge to decrypt when they’re paid, how do *they* know which key to use for which file? It’s not really feasible for them to phone all keys home after all.
@TobiKellner
@TobiKellner 9 ай бұрын
At around 11:50 he talks about every victim getting their own file extension. Presumably that extension and/or the "Login ID" in the ransom instructions .txt somehow contain the key in an encoded form?
@effsixteenblock50
@effsixteenblock50 9 ай бұрын
Remember that copies of the files are exfilled to the actor's own infrastructure. I'm sure that the key and other relevant data is as well.
@debug_duck
@debug_duck 9 ай бұрын
It is fairly easy to derive unique per-file encryption keys from a common secret, which can then be used as single-point to unlock all files. That is undoubtly what they are doing with the extension and/or the extra bytes in the files.
@tomt7621
@tomt7621 9 ай бұрын
Genialer interessanter talk ich liebe dieses Jahr die Konferenz mit fast jedem talk mehr, mir fehlt nur noch: Ein talk von David Kriesel Eine Erklärung warum ein talk von einem deutschen auf einer deutschen Konferenz auf englisch gehalten wird. Again another great ccc this year. There are so many Talks i enjoied. I also love this talk. I dont know why, but i even enjoy the ccc Talks more then some of the las vegas conferences... But why is this talk in english? Obviously you can reach way more people by talking in english and i'm really happy Talks in other languages are Part of the ccc conferences and that some angels translate the Talks... But why are some Talks from germans at a german conferences are hold originally in english? My 7 year old son watches sometimes the Talks together with me and the reason he enjoys ccc more then Black hat or defcon is the german language.
@FunctionGermany
@FunctionGermany 9 ай бұрын
i guess because certain topics like this one are likely interesting to audiences with other languages. in one graph you can see that while this ransomware is one of the most used in germany, it is also used a lot in other countries. part of the mission of this talk is to spread the message about this decryptor being available as well as educating about preventative measures and using english helps in this case.
@StuartWoodwardJP
@StuartWoodwardJP 9 ай бұрын
At a conference like the CCC a huge part of the event is actually being there and the presenters only get one chance a year on the main stage to present their work. Presentations go on from 8AM to Midnight in some conferences and if they had an additional day or extra stages the schedule would still be full of people wanting to present. However increases in the number of stages dilutes the attendance and creates logistical problems and increases to the length of the conference reduces the quality. So at a certain point a line is drawn and the results are what we see. Even if a presenter wanted to present in multiple languages there isn't the time or opportunity. However, I would suggest that if you find an interesting talk that you would like to hear in German then contact the speaker, they may already have given the talk locally, or might do so as a result of your request. They might even record it for you.
@DanielMüller-x8s
@DanielMüller-x8s 9 ай бұрын
Imagine they would use the key for every file for performance reasons. That would be lolz. Anyways huge thumbs for this effort. If any client is virtualized you can recover almost everything. Wow.
@deanvangreunen6457
@deanvangreunen6457 9 ай бұрын
Talk starts at 12:00
@frogz
@frogz 9 ай бұрын
somewhere somebody in a foreign language: RATS, NOW HOW AM I SUPPOSED TO MAKE MONEY? thank you whoever reverse engineers things, especially for the betterment of fellow humans
@aaronr.9644
@aaronr.9644 9 ай бұрын
If we know their bitcoin addresses, wouldn't it be possible to blacklist them such that miners would not add these transactions to new blocks? Gone are the days of people mining at home. Mining has become big business requiring large investments. I assume it is much easier to reach the miners then the criminals. Wouldn't it be worthwhile to try and blacklist these addresses?
@loeffel999
@loeffel999 8 ай бұрын
Nothing stops them to create new bc wallets all the time.
@oneinanull5498
@oneinanull5498 21 күн бұрын
You would need more than 50% of nodes on the network to negotiate a hard fork. The blockchain is a read only ledger that uses distributed computing to verify each block. Getting a 50% majority is mostly impossible. Eth actually did something similar a long time ago (Etherium classic is the original chain) after someone found a bug that let them basically steal a bunch of eth out of other accounts. But any fork of the chain is a fundamental disagreement on which ledger, aka which coin, to follow. So tldr: no
@trungkiennguyen7655
@trungkiennguyen7655 9 ай бұрын
Interesting, the malware is using best practice according to payment practices (separate Cipher Object for each chunk) Definitely could have been made faster, and even harder for researchers to analyze, if they used the same cipher for all chunks (state-based) The author must have experience working in payment services (e.g bank)
@4crafters597
@4crafters597 9 ай бұрын
This means they restart the encryption in code per block? Or am I misunderstanding?
@DavidCosta85
@DavidCosta85 9 ай бұрын
another idea. this is fun. what about recovering and cracking encrypted files get the original file and then mine it and encrypted again with another algorithm
@zxcvb_bvcxz
@zxcvb_bvcxz 9 ай бұрын
did ChatGPT write this?
@DavidCosta85
@DavidCosta85 9 ай бұрын
can't we just remove the formula from the encrypted file checking for patterns and approximations in files in different computers
@zxcvb_bvcxz
@zxcvb_bvcxz 9 ай бұрын
no
@kveonlichman2917
@kveonlichman2917 9 ай бұрын
what is blud yapping about
@KaneYork
@KaneYork 9 ай бұрын
why are you trying to help the bad people
Osman Kalyoncu Sonu Üzücü Saddest Videos Dream Engine 275 #shorts
00:29
HELP!!!
00:46
Natan por Aí
Рет қаралды 15 МЛН
Это было очень близко...
00:10
Аришнев
Рет қаралды 6 МЛН
MAGIC TIME ​⁠@Whoispelagheya
00:28
MasomkaMagic
Рет қаралды 17 МЛН
Hacking Windows TrustedInstaller (GOD MODE)
31:07
John Hammond
Рет қаралды 693 М.
Dynamically Analyzing Linux Black Basta Ransomware
24:33
LaurieWired
Рет қаралды 23 М.
37C3 -  Tor censorship attempts in Russia, Iran, Turkmenistan
1:02:42
media.ccc.de
Рет қаралды 12 М.
37C3 -  Apple's iPhone 15: Under the C
36:26
media.ccc.de
Рет қаралды 42 М.
Kaspersky vs 2000 Malware
12:42
The PC Security Channel
Рет қаралды 230 М.
The Only Unbreakable Law
53:25
Molly Rocket
Рет қаралды 334 М.
37C3 -  All cops are broadcasting
1:03:55
media.ccc.de
Рет қаралды 154 М.
Osman Kalyoncu Sonu Üzücü Saddest Videos Dream Engine 275 #shorts
00:29