Posts

Showing posts from December, 2017

The Lie of the "Retis" ransomware - How to decrypt

Image
Its two days to christmas and there is no petrol to move around and I have been grounded by my wife for staying out late (10pm), so i stay at home and play with my daughter (Nicole). At the exact point she slept off, i got a threat intelligence report about a new ransomware dubbed "Retis Ransomware". Bored at home, i decided to have a look at this new toy. I got a sample of it from hybrid-analysis and just threw it into "dnSpy" - my favorite .NET decompiler. To my surprise, the code was not obfuscated as most malwares are usually obfuscated to prevent reverse-engineering. I also noticed it was very selective of the type of files to encrypt and focused on documents and pictures. I ran it within my test system and it encrypted some files and added ".crypted" extension. Unlike most disastrous ransomwares (wannacry, notpetya, badrabbit) this was a bit lax on the range of files to encrypt, and also it did not seem to delete shadow files which could b...