Join Us!

How to get data ins...
Clear all

How to get data inside the encrypted file?  

New Member

I'm not sure what I'm writing in the right section, but I didn't find it more relevant.
Background I'm doing DFIR CTF and I need to get the data inside a file that was encrypted by the ransomware (there are no any decrypted tools for my ransomware).
I have a .dmp image and pcap. I'm new to forensics and I'm learning on the go, maybe I missed something.

1) tried to dump my file before it was encypted, but without luck, maybe the txt file was not used by any process during incident or maybe I can try another tool? Because I used a volatility and I found that there are issues with dumpfiles plugin. What another tool I can try?
2) dumped all files that were stored in memory;
3) carved all files via foremost;
4) tried to find any useful information via HxD by searching the file name;
5) I know that my file before it was encrypted was in zip archive, maybe that's where I need to go? Maybe I need to recover the archive, but as I understand dmp is more like memory.
6) tried to find solution how I can see content of lnk file before it was encrypted, but I didn't find how I can do it.
7) tried to find useful information in register dump.

I don't need this data in my investigation, but I dumped all files from pcap and I couldn't find anything worthwhile except the ransomware file;

I have no idea what else I can try to do.

Posted : 10/05/2020 7:11 pm

Not my strong suite, but have you checked out ?
Which is a join effort between law enforcement and It-companies to battle Ransome ware.
So it might give you a pointer or something like that P

Posted : 11/05/2020 8:46 pm
New Member

Nope, to be honest I forgot about that site. heh.
Anyway, I did the CTF task )
I found in the memory via hex the text.

Posted : 12/05/2020 2:31 am
New Member

Some types of ransomware only do partial encryption, to save time I guess and spread as fast as possible. Example is the 'popular' STOP/DJVU ransomware family. I discovered by accident after repairing a JPEG, which was as I later learned a victim of some STOP DJVU variant. So for example here's extraction and repair of a corrupt embedded JPEG from a canon raw (CR2) that was affected by STOP/DJVU:

Figured it might be possible to make some media playable affected by this ransomware too and tested with a hex editor. When that appeared to work wrote a small too that can make some media types playable:

Posted : 27/06/2020 5:51 pm