Hey
@struppigel thanks alot for the help if I got it right the genenrates it self by connecting to botnet server and the key should be inside one of the files the ransomware created, Or the ransomware generates the key inside the registry?
These are good starting points to search the key. Now you need to verify any assumptions you made.
> if I got it right the genenrates it self by connecting to botnet serve
Does it get the key from the server
or
does it generate the key and afterwards contact the server to send the key to the server?
Do you know why keys might be sent to a server?
> the key should be inside one of the files the ransomware created
It is a valid assumption because some ransomware does save the key in generated files. So this can be one location to look for.
But I personally would start at the key generation algorithm because it comes first and has a high probability that the criminals did something wrong there. Only if this one does not help me (because it is made in a way that we cannot retrieve the key), I would go further down the chain and look at how the key is saved or transmitted after generation.
> Or the ransomware generates the key inside the registry
Also a good location to look for. Some ransomware saves keys in the registry. You might have luck to retrieve the key from the registry of an infected system if the key is not encrypted.
It does not generate keys there, though. The registry is only a place to put settings and data into it.
Since this part comes after key generation, I would put that aside for now. Concentrate on key generation first.