yup, a switch to classic Mac OS. Could use some BeOS love :D

I beg to differ she chose the worst ransomware to investigate ever

Explain @@thesickestnoodle-nq3wn

​@@thesickestnoodle-nq3wn what's wrong with this one?

​@@dogyX3It's incredibly simple and featureless... Tons of more fitting samples

@@thesickestnoodle-nq3wn Come on... I am impressed. Don't be a dick

strace traces syscalls. No way to read or write files under Linux without syscalls, even in assembly.

Yea I’m wondering how it would even be possible to hide

Actually, her experience was due to the fact she was not running Virtual Machine hardware in a certain configuration. A mere change to a path can result in the ransomware not working.

it's really weird for sure... but after the first "Decrypt" the length could also be similar to the "hello world" text itself, so maybe it converted it to something close to the original bytes, but maybe NOT'd or something. Then when you Encrypt again, and Decrypt again, you get another NOT inverse which results in the original text. I'm actually more interested how it really is doing the encryption, what key it is using. if they really wanted the client not to be able to recover it they would generate a random encryption key on the fly and then send it back to the "mothership". but I guess that leads to too many potential problems so it's not worth it -- better to make a pseudo security theater encryption/decryption for the best chances of getting paid.

​@@MichaelButlerC It's perhaps a XOR pass or something else that masks the data in a reversible way? If it's XOR'ed with the key, it would make it more difficult to break, as the decrypted data wouldn't actually match the encrypted data in a predictable way?

That would be great

My guess is that the authors are bluffing with the data being stoled, but obviously not with the encryption part. They have probably crafted versions of this malware based on the targeted company and when paid ransom would reveal the decryption key based on the company id of the target (or they wouldn't share it at all). I was looking for the malware attempting to detect network interfaces as based on the fact that this container is isolated it would not be able to do much and cease further attempts, but I did not see any syscalls that would indicate it.

@@MartinWoadand also, looks like the "decryption" part didn't even require any decryption key input, so it was most likely all "built-in" to both binaries (probably to reduce risk of failure, which leads to failure in getting paid).

perhaps a mechanical keyboard with customized switches.. I love the sound of it too

Actually its a great question.

Probably a mistake of malware writers. I have seen a case when some ransomware encrypted all files with the same kay and IV, so if you happen to have an original file of one of the encrypted files, you just needed to xor them, and then xor the result with all other files to decrypt them (except ones that are longer, obviously). It would be nice to find out how it really works and understand why it happens.

win11