Jump to content

Ransomware decryption key from memory ?


Recommended Posts

I am helping out with a ransomware incident. Some of their computers were virtual machines, and they were suspended during the ransom event (while the ransomware was encrypting). This means there is a copy of the memory at that point in time.

My understanding is that most (all?) "professional" ransomware nowadays uses public/private key encryption and also use per-file encryption keys, so even if there would be AES or RSA keys in memory, they will be of limited use?

I'd love to hear your thoughts on this avenue of recovery. I would like to share more details, but as this is a recent event I can't share details less it exposes the affected company (or the group takes issue).

Link to comment
Share on other sites

You could in theory mount the snapshots and recover individual files with some data recovery tool on another PC I guess but there's no way without looking at the ransomware itself to determine whether the decryption keys would be stored in memory or not or if there are even other protections in place like memory randomization to stop you from being able to just pluck keys from such an idea. It is an interesting idea though and in some cases it may be possible. I don't see why not. As long as you have found the keys you should be able to reverse the encryption on the files. 

*That's my understanding - I'm sure there are others here that would provide a more thorough approach/explanation. ✌️

Link to comment
Share on other sites

  • 2 months later...

I know I'm late to the post, but wouldn't ransomware use some sort of public-key crypto, so that the private key never reaches the system without the victim paying?

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...