2025-10-22 –, Schengen 1 & 2
Ransomware remains one of the most prevalent and destructive forms of malware today. Understanding its inner workings is crucial for defenders and incident responders alike. This workshop will offer a deep dive into reverse engineering ransomware, focusing on practical methods for unpacking and analyzing malicious code.
The Reverse Engineering Ransomware: A Hands-on Workshop is designed to provide attendees with practical experience in analyzing a simulated ransomware sample. The workshop will begin with an introduction to ransomware and an overview of tools such as Ghidra, OllyDbg, x64dbg, Process Monitor, and Wireshark. Attendees will then engage in static analysis using Ghidra to examine the ransomware binary, followed by dynamic analysis in a safe virtual machine environment, where they will observe the malware’s behavior using debugging tools and monitoring software. The session will also cover extracting Indicators of Compromise (IOCs) and documenting the findings in a report.
Throughout the workshop, attendees will be guided step-by-step, with time for questions, hands-on practice, and discussion. The workshop concludes with a Q&A session and provides additional resources and a whitepaper for continued learning.
Note: A simulated ransomware sample will be provided at the start of the workshop. Attendees are encouraged to bring a laptop with at least 16GB of RAM and a pre-configured VM environment to fully participate in the hands-on analysis.
In this practical, hands-on workshop, participants will learn how to reverse engineer a ransomware sample in a controlled, safe environment. By using tools like Ghidra, OllyDbg, and x64dbg, attendees will gain first-hand experience unpacking, analyzing, and understanding the inner workings of ransomware. This workshop will guide participants through static and dynamic analysis techniques, providing valuable insights into malware behavior, payload delivery, and persistence mechanisms.
Here is a detailed breakdown of the session:
- Introduction and Set Up (5 mins)
This will include a brief introduction to the topic: What is ransomware, why is it important to analyze, and how reverse engineering can help with understanding and mitigating threats, with an overview of the tools used (Ghidra, OllyDbg, x64dbg, Process Monitor, Wireshark, Virtual Machines).
-
Securely setting up the VM (10 mins)
This will take about 15 mins where attendes can set up their VMs securely along with basic guidelines on creating a safe environment to analyze malware in (e.g., sandboxed Windows VM). -
Introduction to the Ransomware Sample (5 mins)
This will involve a detailed overview of the simulated ransomware sample being used and we will also highlight the types of analysis methods the participants will perform (static vs. dynamic). -
Static Analysis (30 Minutes)
Here I will Introduce Ghidra for static analysis and guide attendees through the process of importing and analyzing the ransomware binary in Ghidra. We will discuss some key features like identifying functions, finding encrypted data, and examining sections of the binary.
We will then perform basic static analysis on the ransomware sample which includes analysis of imports, functions, and strings, encryption routines, command-and-control communication indicators.
Participants are strongly encouraged to follow along and ask questions through the live static analysis process. -
Dynamic Analysis (30 minutes)
Here, we will quickly introduce x64dbg and OllyDbg for dynamic analysis and explain how these tools can be used to observe malware behavior in a running environment.
Participants will then be guided through launching the malware in the virtual machine, running it, and monitoring its behavior.
This part will explain how to capture memory, file system, and registry modifications during execution as well as show participants how to use Process Monitor to track file system and registry changes.
We will also introduce Wireshark for monitoring network activity during the ransomware’s execution, C2 changes are common during execution and identification of specific packets sent and received would be interesting to note. Attendees will also be taught how to identify key behaviors (e.g., encryption of files, registry changes, persistence mechanisms).
-
Analysis and IOCs Extraction (10 mins)
This part will show participants how to extract key IOCs (file names, file hashes, registry keys, network traffic) from the analysis and discuss how these IOCs can be used for detection and response.
Briefly, we will also walk through the process of documenting the analysis and IOCs.
Participants are encouraged to take notes on what they observed and what could be potential signs of compromise. -
Wrap Up and brief QnA with Attendees (5 mins)
Any doubts to clarify for attendees and during the wrap up, attendees will be given a detailed white paper along with how reversing complex malware files like this ransomware works - covering set up of a secure VM to dissecting a malware sample using static, dynamic analysis on the sample and extraction of IOCs that can be used in the detection and response.
Ankshita is a cybersecurity consultant with a sharp focus on malware analysis, offensive tactics, and real-world threat detection. Her background spans the finance sector, tech industry, and incident response, where she has worked as a SOC analyst, security engineer, and consultant across corporate and critical infrastructure environments. She holds the ISTQB Certified Security Tester credential, is KLCP certified, and is currently researching advanced malware evasion techniques and system exploitation pathways.
She has presented her work at Hack.lu (Luxembourg), Après Cyber Slopes Summit (Utah), DevFest Africa, and The Developers Conference (Mauritius). Her technical approach blends dynamic analysis, code unpacking, and attacker tradecraft — often with a focus on web-based attack surfaces. Ankshita has also been recognized by Huawei Mauritius in 2024 for her innovation in engineering