Rincrypt Ransomware Decryptor

BOTCONF 2024

@yarienkiva

Obligatory Peepoodo ➡

tr: "I know what I'm doing my lightning talk on"

• Aloïs "Alol" de Souza-Coroller

• Malware Analyst @CERT La Poste
  

• Was forced to submit a LT (kidding)

• Have slept ~2h (not kidding)

whoami

Yesterday

You better submit a LT or I'm not paying for your travel expenses !

Plz no I'm a poor student :(

(me)

(boss)

Sources:
https://twitter.com/pcrisk/status/1776153378541711571
https://www.virustotal.com/gui/file/265db2cb4ed90260f5b245d475510d005476eaeb967ab8e8b4959aba92e97e81

How2RE: Python Malware

• Unpack PyInstaller with pyinstxtractor
• Decompile with Decompyle++ (pycdc)

• #WARNING: Decompyle incomplete 
  Unsupported opcode 

• Disassemble with pycdas instead

Sources:
https://github.com/extremecoders-re/pyinstxtractor
https://github.com/zrax/pycdc

YAOSM: Yet Another Open Source Malware

https://github.com/marcosValle/RansPy/blob/master/enc.py

YAOSM: Yet Another Open Source Malware

YAOSM: Yet Another Open Source Malware

+

repurposed decryption function

=

Decryptor !

See you next year !

@yarienkiva - Aloïs - CERT La Poste

If you ever need the decryptor for some inconceivable reason:

https://gist.github.com/yarienkiva/95802bf6e92ea1ff797b877106e687ad

Looking for work in september,

Will RE / Pwn / Threat hunt for food :)

Addendum

• Rincrypt v2 is based on Chaos Ransomware, files can be decrypted with the TrustedSec decryptor.
• Rincrypt v3 is a modified version of Rincrypt v1, files can be decrypted with the same decryptor (but with a different key).
• Both decryptors will be published shortly