In this video, we dynamically analyze the Linux Black Basta ransomware family. We use strace to determine the required directories and trigger both the encryption and decryption behavior.



Timestamps:
00:00 Intro
00:44 Analysis Enviroment
02:13 Starting Dynamic Analysis
03:19 Decryptors
04:26 Trigging Encryptor
06:21 Strace
08:00 VMWare ESXi
09:39 VMFS Test
12:30 Ransom Note
15:07 Strace Encryptor Output
15:50 Multithreading
17:48 Triggering Decryptor
19:38 Dumped key?
20:58 Decryptor Round 2
22:58 Successful Decryption!
23:27 Recap



Software Links Mentioned in Video:
strace manpage:
https://www.man7.org/linux/manpages/...


Malware Examined in the video (BlackBasta):

Decryptor:
sha256:96339a7e87ffce6ced247feb9b4cb7c05b83ca315976a9522155bad726b8e5be

Encryptor:
sha256:0d6c3de5aebbbe85939d7588150edf7b7bdc712fceb6a83d79e65b6f79bfc2ef



laurieWIRED Twitter:
  / lauriewired  

laurieWIRED Website:
http://lauriewired.com

laurieWIRED Github:
https://github.com/LaurieWired

laurieWIRED HN:
https://news.ycombinator.com/user?id=...

laurieWIRED Reddit:
  / lauriewired