Ransomware Analysis
This submodule introduces the fundamentals of ransomware, covering its encryption methods, ransom note delivery, and spread mechanisms. Participants will analyze its behavior, system impact, and forensic artifacts through hands-on labs, building a base for advanced exploration
In May 2017, a devastating ransomware attack spread rapidly across the globe, locking critical systems and demanding Bitcoin payments. This challenge explores the inner workings of one of the most infamous cyber threats in history. Analyze how the ransomware exploited system vulnerabilities, encrypted data, and propagated through networks. Use your investigation skills to uncover key technical and impact-related details of the attack.
BlackCat, also known as ALPHV, emerged as a powerful RaaS group in late 2021.Written in Rust, it allowed cross-platform attacks, often starting with stolen credentials and abuse of RDP for lateral movement. Affiliates used tools like Mimikatz for LSASS dumps and privilege escalation via token impersonation.They targeted Windows and ESXi servers, disabling VSS to prevent recovery.
The malware used AES-CTR encryption and custom packing to evade detection. Persistence was maintained through WMI events, and automation was handled via Empire PowerShell. Attackers uploaded staged data (T1074) to Mega, then launched a dual extortion campaign by threatening a data leak. Files were marked with the .ALPHV extension, and AV services like MsMpEng were terminated. Remote access was maintained using C2 over HTTPS.
Attribution was difficult due to the affiliate model, and most ransoms were paid in Monero. Global takedown was delayed because of jurisdiction limitations, allowing the group to remain active across sectors.