Rincrypt Ransomware Decryptor
BOTCONF 2024
@yarienkiva
Obligatory Peepoodo ➡
tr: "I know what I'm doing my lightning talk on"
-
Aloïs "Alol" de Souza-Coroller
-
Malware Analyst @CERT La Poste
-
Was forced to submit a LT (kidding)
-
Have slept ~2h (not kidding)
whoami
Yesterday
You better submit a LT or I'm not paying for your travel expenses !
Plz no I'm a poor student :(
(me)
(boss)
Sources:
https://twitter.com/pcrisk/status/1776153378541711571
https://www.virustotal.com/gui/file/265db2cb4ed90260f5b245d475510d005476eaeb967ab8e8b4959aba92e97e81
How2RE: Python Malware
- Unpack PyInstaller with pyinstxtractor
- Decompile with Decompyle++ (pycdc)
-
#WARNING: Decompyle incomplete Unsupported opcode
- Disassemble with pycdas instead
Sources:
https://github.com/extremecoders-re/pyinstxtractor
https://github.com/zrax/pycdc
YAOSM: Yet Another Open Source Malware
https://github.com/marcosValle/RansPy/blob/master/enc.py
YAOSM: Yet Another Open Source Malware
YAOSM: Yet Another Open Source Malware
+
repurposed decryption function
=
Decryptor !
See you next year !
@yarienkiva - Aloïs - CERT La Poste
If you ever need the decryptor for some inconceivable reason:
https://gist.github.com/yarienkiva/95802bf6e92ea1ff797b877106e687ad
Looking for work in september,
Will RE / Pwn / Threat hunt for food :)
Addendum
- Rincrypt v2 is based on Chaos Ransomware, files can be decrypted with the TrustedSec decryptor.
- Rincrypt v3 is a modified version of Rincrypt v1, files can be decrypted with the same decryptor (but with a different key).
- Both decryptors will be published shortly
deck
By Alol dSC
deck
- 4