Dynamically Analyzing Linux Black Basta Ransomware

Поделиться
HTML-код
  • Опубликовано: 24 дек 2024

Комментарии • 79

  • @lkron5741
    @lkron5741 Год назад +124

    This must be one of the most underrated channels on YT.

    • @thesickestnoodle-nq3wn
      @thesickestnoodle-nq3wn Год назад +3

      I beg to differ
      she chose the worst ransomware to investigate ever

    • @VincentGroenewold
      @VincentGroenewold 10 месяцев назад

      Explain @@thesickestnoodle-nq3wn

    • @dogyX3
      @dogyX3 9 месяцев назад +1

      ​@@thesickestnoodle-nq3wn what's wrong with this one?

    • @thesickestnoodle-nq3wn
      @thesickestnoodle-nq3wn 9 месяцев назад

      ​@@dogyX3It's incredibly simple and featureless... Tons of more fitting samples

    • @tommyovesen
      @tommyovesen 8 месяцев назад

      @@thesickestnoodle-nq3wn Come on... I am impressed. Don't be a dick

  • @miguelmahecha88
    @miguelmahecha88 Год назад +26

    I absolutely love this format. The "window" switching is really cool.

    • @ktxed
      @ktxed 8 месяцев назад +1

      yup, a switch to classic Mac OS. Could use some BeOS love :D

  • @samrichardson9827
    @samrichardson9827 8 месяцев назад +26

    The fact that you can analyze, decypher, plan ahead and slow yourself down for us, in order to perform this perfectly clear pedagogic explanation, all at once, is kinda impressive.

  • @djukicdev
    @djukicdev Год назад +14

    Let's all love lain

  • @randommoosebrains
    @randommoosebrains Год назад +5

    Thanks for uploading. I’m learning a lot of cool stuff from the channel. Haven’t seen all the videos but thank the algorithm for the recommending this channel.

  • @mytechnotalent
    @mytechnotalent Год назад +13

    Great job Laurie! I love how strace can show so much. In a CTF I wrote in x86 Assembler, I worked to hide all of the traces but few ever go to such lengths.

    • @tolkienfan1972
      @tolkienfan1972 9 месяцев назад +6

      strace traces syscalls. No way to read or write files under Linux without syscalls, even in assembly.

    • @zt9233
      @zt9233 3 месяца назад

      Yea I’m wondering how it would even be possible to hide

  • @QLPJosh
    @QLPJosh 7 месяцев назад +1

    This was a great watch, really interesting stuff. Thank you for creating this

  • @MaZderMind
    @MaZderMind Год назад +1

    Kudos to the amount of work you put into the production! The MacOS/WinXP crossover made me lough and love to the Corgi :)
    Also, you have a really calm and structured way of teaching. 👌

  • @ismiregalichkochdasjetztso3232
    @ismiregalichkochdasjetztso3232 9 месяцев назад +1

    I started my reverse engineering career as a teen in the late 80s, mostly cracking games and hunting malware on MS-DOS. Glad to see the next generation going strong at it!

  • @kumarprateek1279
    @kumarprateek1279 Год назад +1

    Thanks for these videos. It has really got me interested in malware analysis.

  • @szymoniak75
    @szymoniak75 9 месяцев назад +33

    typical Linux experience: you even have to troubleshot malware and actually try hard to get it working

    • @Kristopher_Logan
      @Kristopher_Logan 6 месяцев назад

      Actually, her experience was due to the fact she was not running Virtual Machine hardware in a certain configuration. A mere change to a path can result in the ransomware not working.

  • @0xeb-
    @0xeb- Год назад +2

    Good work Laurie.

  • @math4538
    @math4538 Год назад +2

    Excellente vidéo, merci pour ce contenu

  • @envygrace
    @envygrace Год назад +1

    Very interesting, love your channel

  • @emileberteloot6546
    @emileberteloot6546 Год назад

    Pure Gold !
    Pls never stop !

  • @illteteka
    @illteteka Год назад +2

    What keyboard are you using? I love the sound of it

    • @antonadjei
      @antonadjei Год назад

      perhaps a mechanical keyboard with customized switches.. I love the sound of it too

  • @peterweston6588
    @peterweston6588 5 месяцев назад +1

    "Present Day, Present Time -- Copland OS"

  • @IsaiahG-em9in
    @IsaiahG-em9in Год назад

    I love your videos! I learn so much!! Thank you

  • @marcschweiz
    @marcschweiz Год назад +1

    Great content!

  • @satina1169
    @satina1169 Год назад +3

    The world needs more Lauries

  • @lewiswhitling1351
    @lewiswhitling1351 10 месяцев назад +1

    I'm so confused... it encrypted to a length of bytes that you'd probably expect. Which then decrypted to a small number of bytes (about the size of a key). Which then encrypted back to a length similar to the original encryption. Which then decrypted back to the original bytes.
    I've never come across anything like that before... wouldn't the initial decryption that shortened the bytes lose information? Is this multiple encrypt/decrypt a common method in cyber-sec land?

    • @MichaelButlerC
      @MichaelButlerC 9 месяцев назад +2

      it's really weird for sure... but after the first "Decrypt" the length could also be similar to the "hello world" text itself, so maybe it converted it to something close to the original bytes, but maybe NOT'd or something. Then when you Encrypt again, and Decrypt again, you get another NOT inverse which results in the original text. I'm actually more interested how it really is doing the encryption, what key it is using. if they really wanted the client not to be able to recover it they would generate a random encryption key on the fly and then send it back to the "mothership". but I guess that leads to too many potential problems so it's not worth it -- better to make a pseudo security theater encryption/decryption for the best chances of getting paid.

    • @rich1051414
      @rich1051414 8 месяцев назад

      ​@@MichaelButlerC It's perhaps a XOR pass or something else that masks the data in a reversible way? If it's XOR'ed with the key, it would make it more difficult to break, as the decrypted data wouldn't actually match the encrypted data in a predictable way?

  • @NineInchTyrone
    @NineInchTyrone 7 месяцев назад +1

    How about a roadmap for learning these techniques

    • @zt9233
      @zt9233 3 месяца назад

      That would be great

  • @berndeckenfels
    @berndeckenfels 5 месяцев назад +1

    So the decryptor is from the ransom group and does decrypt anything without payment or is it a third party crack?

  • @kikomartinez9062
    @kikomartinez9062 6 месяцев назад

    Ok you had ne at the Lain intro lol subscribed

  • @afkbender3686
    @afkbender3686 Год назад +1

    awesome and way above my head! ::Swoosh::

  • @danielranc8963
    @danielranc8963 9 месяцев назад

    Nice exercice! Note that this malware must first acquire root privileges to do anything ugly.

  • @ktxed
    @ktxed 8 месяцев назад

    What theme is Laurie using for the XP feeling?

  • @RyouConcord
    @RyouConcord Год назад

    ty for the upload!

  • @FitzkeeLab
    @FitzkeeLab Год назад +1

    It doesn't appear that the ransomware is actually "stealing" the data and transferring it to another server. Wouldn't you see that in the strace? Or am I misunderstanding how this malware works?

    • @MartinWoad
      @MartinWoad Год назад +2

      My guess is that the authors are bluffing with the data being stoled, but obviously not with the encryption part. They have probably crafted versions of this malware based on the targeted company and when paid ransom would reveal the decryption key based on the company id of the target (or they wouldn't share it at all).
      I was looking for the malware attempting to detect network interfaces as based on the fact that this container is isolated it would not be able to do much and cease further attempts, but I did not see any syscalls that would indicate it.

    • @MichaelButlerC
      @MichaelButlerC 9 месяцев назад +1

      @@MartinWoadand also, looks like the "decryption" part didn't even require any decryption key input, so it was most likely all "built-in" to both binaries (probably to reduce risk of failure, which leads to failure in getting paid).

  • @dripcode2600
    @dripcode2600 9 месяцев назад

    Fun! Informative! Really enjoy your videos! #LaurieWired

  • @goonman1255
    @goonman1255 Год назад +1

    what OS is that?

  • @tolkienfan1972
    @tolkienfan1972 9 месяцев назад

    Weird that it took an extra encrypt+decrypt to get back to the original

    • @Павал-л8ч
      @Павал-л8ч 9 месяцев назад +1

      Probably a mistake of malware writers. I have seen a case when some ransomware encrypted all files with the same kay and IV, so if you happen to have an original file of one of the encrypted files, you just needed to xor them, and then xor the result with all other files to decrypt them (except ones that are longer, obviously).
      It would be nice to find out how it really works and understand why it happens.

  • @mojed6666
    @mojed6666 Год назад +2

    This women has great style :-) and so cool how she explains stuff. Thanks

  • @pavloburyanov5842
    @pavloburyanov5842 8 месяцев назад

    container inside vm inside vm. lets go!

  • @kayleekayt3306
    @kayleekayt3306 Месяц назад

    Me wondering whether the windows desktop is a techbro trap oO

  • @its1one
    @its1one Год назад

    That's awesome

  • @LeonIsAPro
    @LeonIsAPro 9 месяцев назад

    Thanks, I leaned so much. I agree withlkron5741, this channel is very underrated.

  • @btruj2507
    @btruj2507 8 месяцев назад

    Looks like it targets VMware O/S

  • @PurpleTeamer
    @PurpleTeamer Год назад

    Hi Laurie. Stupid question, but the Ubuntu VM you are using is 64bit or 32bit ? just asking. Thank you
    Great Video BTW

    • @atatopatato
      @atatopatato 2 месяца назад

      Actually its a great question.

  • @GEORGECAR4
    @GEORGECAR4 Год назад

    Hi Laurie great video do you mind making a video of putting black Basta into ghidra I'm currently trying to analyze a windows version the one that starts with ae7 an I'm completely lost in ghidra

  • @nicholaslandolina
    @nicholaslandolina 7 месяцев назад

    The old TV

  • @ronaldjonson8240
    @ronaldjonson8240 Год назад

    Saw the lain intro and hit subscribe immediately

  • @quicktastic
    @quicktastic 8 месяцев назад

    Jimmy 'two-times' from GoodFellas would've cracked this. "I'm gonna get the papers. Get the papers". "I'm gonna decrypt the files. Decrypt the files".

  • @gurpchirp
    @gurpchirp 2 месяца назад

    she's so adorable.

  • @mashraf7858
    @mashraf7858 Год назад

    These thumbnails though 😂

  • @wuggyfoot
    @wuggyfoot 4 месяца назад

    she kinda sound like oyung sheldon

  • @AndrewKroll
    @AndrewKroll Год назад +1

    Well, strace doesn't tell you much, just traces system calls. You should use gdb and/or a disassembler instead to figure out how the actual encryption works.

  • @Tiredofkiling
    @Tiredofkiling Год назад +2

    Schway

  • @NineInchTyrone
    @NineInchTyrone 7 месяцев назад

    WRITE A BOOK

  • @JamesSmith-ix5jd
    @JamesSmith-ix5jd Год назад +2

    похоже это настоящая девушка, не транс, фембой или актёрша не понимающая что читает с телесуфлёра...

  • @rolandcollins1427
    @rolandcollins1427 Год назад

    i am sorry !what! thankyou

  • @anderson-gb8rp
    @anderson-gb8rp Год назад +1

    How's chad?