Cracking Ransomware: Bypassing Anti-Analysis Techniques and Decrypting LockBit Black Ransomware

SANS Ransomware Summit 2023 Cracking Ransomware: Bypassing Anti-Analysis Techniques and Decrypting LockBit Black Ransomware Speaker: Noël Keijzer, Incident Responder/Reverse Engineer, Northwave In the last years, ransomware groups have been knocking companies offline across the world, demanding ever-increasing sums of money for a key to unlock encrypted machines and data. From a technical perspective, the biggest challenge is to decrypt the hostage data held for ransom, without a valid decryption key. Some say that this is close to impossible. But reverse engineers (RE) are here to prove the contrary. Besides the encryption algorithms that a ransomware group uses (e.g., original or modified versions of RSA, AES-256 and ChaCha20), they also use “anti-analysis” techniques (e.g., packing, string obfuscation and dynamic API loading). Therefore, the challenge of REs is to bypass anti-analysis techniques and find flaws in the encryption algorithms used by a ransomware group. We succeeded in both challenges while fighting against the LockBit ransomware group. This was the most prevalent ransomware group of Q3 2022 (i.e., 22% of all global ransomware attacks), according to Mandiant. In this presentation, we will explain how we have bypassed their anti-analysis techniques and cracked their encryption algorithm. In addition to this, we will publicly demonstrate and release the decryption tool that we created against LockBit Black. Our main goal with this presentation is to shed light on our approach, and to incentivize the community to use it to fight back against ransomware groups. View upcoming Summits: http://www.sans.org/u/DuS