- Jul 22, 2014
- 2,525
Emsisoft CTO and Malware Researcher Fabian Wosar has stated in the past that he wanted to perform an educational live stream about reversing malware. Today, after GDaata security researcher Karsten Hahn discovered a new ransomware called Hermes, Fabian decided to use it as the sample for his first live streaming session.
The best part of it is that it turns out that this ransomware was able to be decrypted. This allowed those of us who were watching the live stream to get a first hand view of how a malware researcher analyzes and creates a decryptor for a new ransomware.
Fabian's Analysis shows that Hermes can be Decrypted
While analyzing the Hermes sample, Fabian found that the seed used to generate the encryption key could be attacked in order to create a decryptor. Once this was determined, Fabian displayed how this knowledge could be used to generate a key and a subsequent decryptor for encrypted files.
For those interested in this process, you can watch the full video, which is embedded below. I watched a good portion of the live stream today and it is an interesting way to gain a better insight as to how researchers analyze malware.
More details in the link above
The best part of it is that it turns out that this ransomware was able to be decrypted. This allowed those of us who were watching the live stream to get a first hand view of how a malware researcher analyzes and creates a decryptor for a new ransomware.
Fabian's Analysis shows that Hermes can be Decrypted
While analyzing the Hermes sample, Fabian found that the seed used to generate the encryption key could be attacked in order to create a decryptor. Once this was determined, Fabian displayed how this knowledge could be used to generate a key and a subsequent decryptor for encrypted files.
For those interested in this process, you can watch the full video, which is embedded below. I watched a good portion of the live stream today and it is an interesting way to gain a better insight as to how researchers analyze malware.
More details in the link above
