Not long ago, I ran across this LinkedIn post on analyzing a ransomware executable, which led to this
HexaStrike post. The HexaStrike post covers analyzing an AI-generated ransomware variant, which (to be honest) is not something I’m normally interested in; however, in this case, the blog contained the following statement that caught my interest:
People often ask: “Why analyze ransomware? It’s destructive; by the time analysis happens, it’s too late”. That’s only half true. Analysis matters because sometimes samples exploit bugs to spread or escalate (think WannaCry/EternalBlue), they often ship persistence or exfiltration tricks that translate into detection rules, custom crypto occasionally ships with fixable flaws allowing recovering from ransomware, infrastructure and dev breadcrumbs surface through pathnames and URLs, and, being honest, it’s fun.
For anyone who’s been following me for any length of time, here on this blog or on LinkedIn, you’ll know that “dev breadcrumbs” are something that I’m very, VERY interested in. I tend to refer to them as “toolmarks” but “dev breadcrumbs” works just as well.
Something else…in my experience, some of the malware RE write-ups are devoid of the types of things mentioned in the above quotes, particularly anything that “translates into detection rules”. I know some are going think, “yeah, but li
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: