Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Malware Analysis
Cant find decryption key
Message
<blockquote data-quote="struppigel" data-source="post: 990383" data-attributes="member: 86910"><p>These are good starting points to search the key. Now you need to verify any assumptions you made.</p><p></p><p>> if I got it right the genenrates it self by connecting to botnet serve</p><p>Does it get the key from the server<strong> or </strong></p><p>does it generate the key and afterwards contact the server to send the key to the server?</p><p>Do you know why keys might be sent to a server?</p><p></p><p>> the key should be inside one of the files the ransomware created</p><p>It is a valid assumption because some ransomware does save the key in generated files. So this can be one location to look for.</p><p>But I personally would start at the key generation algorithm because it comes first and has a high probability that the criminals did something wrong there. Only if this one does not help me (because it is made in a way that we cannot retrieve the key), I would go further down the chain and look at how the key is saved or transmitted after generation.</p><p></p><p>> Or the ransomware generates the key inside the registry</p><p>Also a good location to look for. Some ransomware saves keys in the registry. You might have luck to retrieve the key from the registry of an infected system if the key is not encrypted.</p><p>It does not generate keys there, though. The registry is only a place to put settings and data into it.</p><p>Since this part comes after key generation, I would put that aside for now. Concentrate on key generation first.</p></blockquote><p></p>
[QUOTE="struppigel, post: 990383, member: 86910"] These are good starting points to search the key. Now you need to verify any assumptions you made. > if I got it right the genenrates it self by connecting to botnet serve Does it get the key from the server[B] or [/B] does it generate the key and afterwards contact the server to send the key to the server? Do you know why keys might be sent to a server? > the key should be inside one of the files the ransomware created It is a valid assumption because some ransomware does save the key in generated files. So this can be one location to look for. But I personally would start at the key generation algorithm because it comes first and has a high probability that the criminals did something wrong there. Only if this one does not help me (because it is made in a way that we cannot retrieve the key), I would go further down the chain and look at how the key is saved or transmitted after generation. > Or the ransomware generates the key inside the registry Also a good location to look for. Some ransomware saves keys in the registry. You might have luck to retrieve the key from the registry of an infected system if the key is not encrypted. It does not generate keys there, though. The registry is only a place to put settings and data into it. Since this part comes after key generation, I would put that aside for now. Concentrate on key generation first. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
