2023-10-15 –, WestIn - Partenkirchen
In the last few years, many organizations have suffered from ransomware attacks. Recovering from a ransomware attack usually requires backups, but in some cases there are other ways. In this session, Alexander will showcase his team's latest research in ransomware decryption capabilities. The research breaks an entire family of ransomware variants and allows victims to restore encrypted data without obtaining the private keys.
- Background of the Chaos ransomware family. From the first release on the forum XSS, the attack against Azovstal, to how the ransomware was forked and now used by multiple groups.
- Encrypting my own system (live demo).
- Comparison of Chaos and Onyx2/VSOP.
- Identifying the vulnerability, weak random.
- How to abuse weak random in general and specifically how System.Random works. Both via presentation slides and live demo.
- Explaining how to exploit and implement the crypto attack.
- Generalizing the attack to break the entire ransomware family.
- Live demo: Decrypting my own system and getting my files back.
- Continuing the presentation from the file i just decrypted and wrapping up with a summary.
ransomware, crypto, reversing
Alexander is a Principal Forensic Consultant at Truesec where he focuses on incident response, threat intelligence, and security research. Alexander spends most of his time providing incident response to companies that have suffered from a cyber attack. He has investigated many high profile cases, including nation state-backed attacks and ransomware against global organizations. Alexander also performs offensive and forensic research, and is responsible for developing Truesec's forensic capabilities.