Analyzing Ransomware - Reversing a CryptoAPI Decrypter

Рет қаралды 4,635

Michael Gillespie

Күн бұрын

Пікірлер: 30

@OALABS 6 жыл бұрын

Nice analysis! These videos are great!

@jasonrobertcheney 6 жыл бұрын

Clutch tool thanks for the write up and analysis, appreciated.

@DiskTuna 4 жыл бұрын

Awesome video, very informative!

@ahmadjaffal6548 4 жыл бұрын

Hi Michael, any way to decrypt online variant .oonn ransomware? Thanks

@4SecuriTI 6 жыл бұрын

Excelente trabajo amigo! Thanks for sharing!!

@pratapmali2434 5 жыл бұрын

Pl share Decryptor file used in video,Unable to get through site

@metdievalex 6 жыл бұрын

Hello Michael, I wonder if you could analyze a sample, I have an alleged decryptor of cerber ransomware that was delivered to the victim 2 years ago, unfortunately he made the payment without receiving the keys, I am a beginner in this and would appreciate if with your experience you can help me with the reverse engineering

@Demonslay335 6 жыл бұрын

So did they send him the decrypter executable, but no key? Which version of Cerber was is? I can take a look if you share a link to the sample or hash.

@metdievalex 6 жыл бұрын

thanks for answer me Michael, I think it's cerber v4 or 5, I know there's no decryptor yet, you even told me on twitter, I'm a follower., the victim (a nursing home) has restored their activities some time ago and I only have basic technical support skills, I'm not a programmer either, but I have that big question and curious to know if there was something behind this program how ips, domain servers, another hidden payload,backdoor or if it really had a crack, I appreciate your time and I hope you find something interesting, thanks for the help. mega.nz/#F!yJUF0AAT!fctpnhfMWEUvOVluakWTBA

@Demonslay335 6 жыл бұрын

@@metdievalex I think I found something interesting alright... you seem to be dealing with a dual-infection. The "UltraDeCrypter" and screenshots of its site are part of CryptXXX 3.0 (www.kaspersky.com/blog/cryptxxx-v3-ransomware/13628/), yet the filenames and ransom note of course suggest Cerber v4/5. CryptXXX probably encrypted first. The "UltraDeCrypter" requires a key given to the victim on the custom Tor page after payment - if that PEM formatted string was never posted and saved, then there's nothing that can be done in most cases (you can still try the Kaspersky decrypter, but you may need to try renaming the files with a ".crypt" extension possibly and hope there isn't a Cerber layer on top). The odd thing is that the two encrypted files have some valid data in them; one has a valid PNG header, but I found some ASCII text later in it, and the other has a valid PKZIP header (likely an Office .docx or .xlsx file). I'm not familiar with the encryption scheme of either ransomware to speculate any further what happened. Though, there seems to be many accounts of CryptXXX 3.0 victims paying and not getting their data decrypted properly...

@pubgmuqabla3924 5 жыл бұрын

Sir please help me I got nuksus encrypted files

@AZ.Editor.7 5 жыл бұрын

Redl file decrypt tool plz tell me.. My all encrypt

@Demonslay335 5 жыл бұрын

Dude. Unrelated to the video. New Djvu, READ THE FAQ: support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/

@cheungsauhang2017 4 жыл бұрын

Can you decrypt OPQZ online key files?

@Demonslay335 4 жыл бұрын

Dude, unrelated video... And no. Read the FAQ... support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/

@ricardobobadilla8290 6 жыл бұрын

I need a solution to Dharma (.cezar Family) i have files encripted if you know how desencript the files i can pay you.

@Demonslay335 6 жыл бұрын

Dharma is not decryptable without the criminal's private RSA keys. No-one but the criminals can decrypt it. Restore from backups and never expose RDP to the web.

@ricardobobadilla8290 6 жыл бұрын

Its posible of someone can desencript that?

@Demonslay335 6 жыл бұрын

@@ricardobobadilla8290 "No-one but the criminals can decrypt it."

@ricardobobadilla8290 6 жыл бұрын

@Cihan Erdem you have a solution to darma .back?