Dynamically Analyzing Linux Black Basta Ransomware

Рет қаралды 17,334

Күн бұрын

In this video, we dynamically analyze the Linux Black Basta ransomware family. We use strace to determine the required directories and trigger both the encryption and decryption behavior.
---
Timestamps:
00:00 Intro
00:44 Analysis Enviroment
02:13 Starting Dynamic Analysis
03:19 Decryptors
04:26 Trigging Encryptor
06:21 Strace
08:00 VMWare ESXi
09:39 VMFS Test
12:30 Ransom Note
15:07 Strace Encryptor Output
15:50 Multithreading
17:48 Triggering Decryptor
19:38 Dumped key?
20:58 Decryptor Round 2
22:58 Successful Decryption!
23:27 Recap
---
Software Links Mentioned in Video:
strace manpage:
www.man7.org/linux/man-pages/...
---
Malware Examined in the video (BlackBasta):
Decryptor:
sha256:96339a7e87ffce6ced247feb9b4cb7c05b83ca315976a9522155bad726b8e5be
Encryptor:
sha256:0d6c3de5aebbbe85939d7588150edf7b7bdc712fceb6a83d79e65b6f79bfc2ef
---
laurieWIRED Twitter:
/ lauriewired
laurieWIRED Website:
lauriewired.com
laurieWIRED Github:
github.com/LaurieWired
laurieWIRED HN:
news.ycombinator.com/user?id=...
laurieWIRED Reddit:
/ lauriewired

Пікірлер: 68

@samrichardson9827 Ай бұрын

The fact that you can analyze, decypher, plan ahead and slow yourself down for us, in order to perform this perfectly clear pedagogic explanation, all at once, is kinda impressive.

@lkron5741 10 ай бұрын

This must be one of the most underrated channels on YT.

@thesickestnoodle-nq3wn 8 ай бұрын

I beg to differ she chose the worst ransomware to investigate ever

@VincentGroenewold 3 ай бұрын

Explain @@thesickestnoodle-nq3wn

@dogyX3 2 ай бұрын

@@thesickestnoodle-nq3wn what's wrong with this one?

@thesickestnoodle-nq3wn 2 ай бұрын

@@dogyX3It's incredibly simple and featureless... Tons of more fitting samples

@tommyovesen Ай бұрын

@@thesickestnoodle-nq3wn Come on... I am impressed. Don't be a dick

@szymoniak75 2 ай бұрын

typical Linux experience: you even have to troubleshot malware and actually try hard to get it working

@miguelmahecha88 5 ай бұрын

I absolutely love this format. The "window" switching is really cool.

@ktxed Ай бұрын

yup, a switch to classic Mac OS. Could use some BeOS love :D

@mytechnotalent 10 ай бұрын

Great job Laurie! I love how strace can show so much. In a CTF I wrote in x86 Assembler, I worked to hide all of the traces but few ever go to such lengths.

@tolkienfan1972 2 ай бұрын

strace traces syscalls. No way to read or write files under Linux without syscalls, even in assembly.

@djukicdev 10 ай бұрын

Let's all love lain

@QLPJosh 17 күн бұрын

This was a great watch, really interesting stuff. Thank you for creating this

@randommoosebrains 10 ай бұрын

Thanks for uploading. I’m learning a lot of cool stuff from the channel. Haven’t seen all the videos but thank the algorithm for the recommending this channel.

@MaZderMind 9 ай бұрын

Kudos to the amount of work you put into the production! The MacOS/WinXP crossover made me lough and love to the Corgi :) Also, you have a really calm and structured way of teaching. 👌

@kumarprateek1279 10 ай бұрын

Thanks for these videos. It has really got me interested in malware analysis.

@IsaiahG-em9in 9 ай бұрын

I love your videos! I learn so much!! Thank you

@envygrace 10 ай бұрын

Very interesting, love your channel

@emileberteloot6546 9 ай бұрын

Pure Gold ! Pls never stop !

@math4538 10 ай бұрын

Excellente vidéo, merci pour ce contenu

@0xeb- 10 ай бұрын

Good work Laurie.

@RyouConcord 10 ай бұрын

ty for the upload!

@marcschweiz 5 ай бұрын

Great content!

@afkbender3686 10 ай бұрын

awesome and way above my head! ::Swoosh::

@PurpleTeamer 9 ай бұрын

Hi Laurie. Stupid question, but the Ubuntu VM you are using is 64bit or 32bit ? just asking. Thank you Great Video BTW

@its1one 10 ай бұрын

That's awesome

@GEORGECAR4 8 ай бұрын

Hi Laurie great video do you mind making a video of putting black Basta into ghidra I'm currently trying to analyze a windows version the one that starts with ae7 an I'm completely lost in ghidra

@danielranc8963 2 ай бұрын

Nice exercice! Note that this malware must first acquire root privileges to do anything ugly.

@dripcode2600 2 ай бұрын

Fun! Informative! Really enjoy your videos! #LaurieWired

@LeonIsAPro 2 ай бұрын

Thanks, I leaned so much. I agree withlkron5741, this channel is very underrated.

@ktxed Ай бұрын

What theme is Laurie using for the XP feeling?

@quicktastic Ай бұрын

Jimmy 'two-times' from GoodFellas would've cracked this. "I'm gonna get the papers. Get the papers". "I'm gonna decrypt the files. Decrypt the files".

@lewiswhitling1351 3 ай бұрын

I'm so confused... it encrypted to a length of bytes that you'd probably expect. Which then decrypted to a small number of bytes (about the size of a key). Which then encrypted back to a length similar to the original encryption. Which then decrypted back to the original bytes. I've never come across anything like that before... wouldn't the initial decryption that shortened the bytes lose information? Is this multiple encrypt/decrypt a common method in cyber-sec land?

@MichaelButlerC 2 ай бұрын

it's really weird for sure... but after the first "Decrypt" the length could also be similar to the "hello world" text itself, so maybe it converted it to something close to the original bytes, but maybe NOT'd or something. Then when you Encrypt again, and Decrypt again, you get another NOT inverse which results in the original text. I'm actually more interested how it really is doing the encryption, what key it is using. if they really wanted the client not to be able to recover it they would generate a random encryption key on the fly and then send it back to the "mothership". but I guess that leads to too many potential problems so it's not worth it -- better to make a pseudo security theater encryption/decryption for the best chances of getting paid.

@rich1051414 Ай бұрын

@@MichaelButlerC It's perhaps a XOR pass or something else that masks the data in a reversible way? If it's XOR'ed with the key, it would make it more difficult to break, as the decrypted data wouldn't actually match the encrypted data in a predictable way?

@ismiregalichkochdasjetztso3232 2 ай бұрын

I started my reverse engineering career as a teen in the late 80s, mostly cracking games and hunting malware on MS-DOS. Glad to see the next generation going strong at it!

@satina1169 7 ай бұрын

The world needs more Lauries

@NineInchTyrone 6 күн бұрын

How about a roadmap for learning these techniques

@pavloburyanov5842 Ай бұрын

container inside vm inside vm. lets go!

@FitzkeeLab 10 ай бұрын

It doesn't appear that the ransomware is actually "stealing" the data and transferring it to another server. Wouldn't you see that in the strace? Or am I misunderstanding how this malware works?

@MartinWoad 5 ай бұрын

My guess is that the authors are bluffing with the data being stoled, but obviously not with the encryption part. They have probably crafted versions of this malware based on the targeted company and when paid ransom would reveal the decryption key based on the company id of the target (or they wouldn't share it at all). I was looking for the malware attempting to detect network interfaces as based on the fact that this container is isolated it would not be able to do much and cease further attempts, but I did not see any syscalls that would indicate it.

@MichaelButlerC 2 ай бұрын

@@MartinWoadand also, looks like the "decryption" part didn't even require any decryption key input, so it was most likely all "built-in" to both binaries (probably to reduce risk of failure, which leads to failure in getting paid).

@mojed6666 10 ай бұрын

This women has great style :-) and so cool how she explains stuff. Thanks

@illteteka 10 ай бұрын

What keyboard are you using? I love the sound of it

@antonadjei 10 ай бұрын

perhaps a mechanical keyboard with customized switches.. I love the sound of it too

@ronaldjonson8240 7 ай бұрын

Saw the lain intro and hit subscribe immediately

@goonman1255 10 ай бұрын

what OS is that?

@quackcharge 10 ай бұрын

win11

@nicholaslandolina 18 күн бұрын

The old TV

@mashraf7858 10 ай бұрын

These thumbnails though 😂

@tolkienfan1972 2 ай бұрын

Weird that it took an extra encrypt+decrypt to get back to the original

@user-jx7cv2td4y 2 ай бұрын

Probably a mistake of malware writers. I have seen a case when some ransomware encrypted all files with the same kay and IV, so if you happen to have an original file of one of the encrypted files, you just needed to xor them, and then xor the result with all other files to decrypt them (except ones that are longer, obviously). It would be nice to find out how it really works and understand why it happens.

@btruj2507 Ай бұрын

Looks like it targets VMware O/S

@NineInchTyrone 6 күн бұрын

WRITE A BOOK

@AndrewKroll 9 ай бұрын

Well, strace doesn't tell you much, just traces system calls. You should use gdb and/or a disassembler instead to figure out how the actual encryption works.