Assignment 1 - Ransomware Analysis and Recovery

Context

To test your knowledge and understanding of the subjects discussed in labs 1-4, you are given a considerably larger program to analyze and apply concepts of:

• black-box analysis (lab 1)
• white-box analysis (labs 2-3)
• gray-box analysis (lab 4)

The analysis of this binary imitates analyzing a real-world ransomware. A ransomware is a malicious software that seeks to encrypt files and hold them for ransom. Users must pay the hackers to regain access to files such as pictures, videos or any other important documents. Depending on the developer skills and understanding of cryptography, some types of ransomware can be decrypted without paying because of various flaws. However, most modern versions are not crackable and unfortunately, in those scenarios, decrypting the files is not usually possible.

More general information on this topic here: https://www.nomoreransom.org/en/ransomware-qa.html

For this assignment, you will have to analyze a toy implementation of a pseudo-malicious ransomware (it does not encrypt anything except for some circumstances you will discover). Moreover, for didactic reasons, this binary is fundamentally flawed from a cryptographic point of view such that even if encryption is triggered, decryption can be done with ease after proper analysis of the encryption algorithm.

Task resources

Download from here. The archive password is infected and has the following contents:

• asg1 - the binary you will analyze
• c19cf21d23c2a054462451047b202711 - the encrypted file you have to recover

Objectives and grading

• The binary searches for files with a certain pattern and only encrypts those that match. Find out what the pattern is. (20p)
• Describe how the encrypted files are internally structured (what bytes are written in the encrypted files and how the encryption is done) (50p)
• Figure out how the file renaming process works and describe how decryption could theoretically be done (20p)
• Create a program/script that decrypts any given encrypted file including the target file in the archive (10p)

What to send

• detailed descriptions of what you did to solve each objective
• any logs/traces you consider important in your analysis
• the IDB/I64 (or the IDC and screenshots if that’s the case) resulting from your analysis in IDA Pro
• the source code for your decryption program/script
• the final decrypted file

Where/when to send

There will be a Homework Assignment added to the Microsoft Teams channel. You will be able to send all your files and get feedback there.

The assignment can be solved until the 4th of April 2021, 23:59 (hard deadline).

Fair play

Do not cheat! Do not post the task text or files on any sort of public/private collaboration platform (forums, groups, etc). Do not ask someone else to solve it for you.

You will be randomly asked about various aspects from your solution and you should be able to answer on the spot.

Any cheating attempts will result in a 0 grade for this Assignment.

Support

You can ask questions (by mail) regarding the tasks in any of the labs so far or regarding analysis in general such as:

• how can I transform a data string into code in IDA?
• how can I set conditional breakpoints in gdb?
• how can I script gdb?
• how can I script IDA?
• how can I patch bytes in an executable?
• how can I patch bytes in an IDA database?
• how can I call libc functions from a Python script?

However, really specific questions regarding the assignment tasks will probably not be answered. These are for you to answer by manual analysis.