Ransomware sucks, right? Your files get encrypted, and then some guy sitting behind a screen across the world demands money to get 'em back. What if you could cut them out of the equation, and recover data without paying those suckers a dime? In this video, I'm gonna show you how to do just that by solving the "Unfinished Business" flag from the DFEND The Box 2023. (aka a crappy report on how I solved the flag so I don't forget next time kek)

======================================== DOWNLOAD LINKS: https://www.volatilityfoundation.org/releases https://github.com/NationalSecurityAgency/ghidra/releases/ https://www.jetbrains.com/decompiler/

Here, you're gonna learn how to sift through a memory dump and glean information using the Volatility Framework. Then, you'll learn how to look through decompiled C# code from a .NET binary using JetBrains dotPeek. Finally, you'll learn how to rewrite that malicious payload into a decryptor. Most ransomware will try to hide its tracks after locking up your files, but this video is for people who are just starting out, so the ransomware is persistent and keeps reinfecting files on startup, which means it needs to somehow access the key each time. This will make our job somewhat easier.

Again, real malware will probably involve more complicated tricks, like using apihooks or dlldump, and more in-depth analysis in Ghidra (malware authors who don't want their code being decompiled would probably use a language that doesn't have). This video is for anyone who's interested in learning more about ransomware analysis and data forensics, but doesn't know where to start. I originally made it to help classmates who took part in the CTF and didn't know what to do for this flag, but you could use more complicated commands, tools, and Volatility plugins on real malware, as long as you take the correct safety precautions and use common sense. (Might do a video on actual malware analysis later, if people end up being interested) ... https://www.youtube.com/watch?v=b6vNEplVhjs