A Deep Analysis of Current Ransomware

With the growth of cryptocurrency usage, there is more and more ransomware discovered in recent years. Attackers use ransomware to encrypt the files of the random (or targeted) victims and threaten them to pay. We analyze them and focus on the techniques which are used, especially on ransomware. For instance, some of them only encrypt part of the file content to enhance the encryption speed. They also use different encryption algorithms to ensure fast and safe.

In this talk, we share reversing analysis of four current ransomware and explain their techniques, including packer, obfuscation, key generation, and encryption. In addition, we make a comparison of them and discuss why they use these techniques. There are some interesting stuff for each of them,

  • Egregor: It applies a lot of junk code to obfuscate its packer and main program.
  • Prometheus: It uses predictable random passwords that can be broke brutally.
  • 1ec509...: It takes a registry as a mark to victims, which can be reuse for defense purposes.
  • Conti: It uses lots of anti-reversing and anti-debugging techniques to prevent analysis.