The Ransomware that helped its victim restore her files | TryHackMe Retracted
The video is a walkthrough of the Retracted room from TryHackMe, which focuses on a ransomware case study. The ransomware addressed in this challenge quickly allowed the victim to restore access to her files. It was an interesting case study laid down by TryHackMe Retracted room. Additionally, the video demonstrates how to use Windows Event Viewer to analyze logs, track events, and piece together a timeline in a ransomware attack scenario. The focus is on using event IDs to trace actions such as process creation, network activity, and remote logins. By organizing events in a chronological order, the investigator is able to understand how the attack unfolded.
Please watch the video at the bottom for full detailed explanation of the walkthrough.
Overview
The scenario revolves around a ransomware attack on a user’s computer, with the files encrypted and then mysteriously decrypted. The user’s son is tasked with uncovering the details of the attack.
Ransomware Investigation
Identifying the Program that Created the Ransomware Note:
Finding the Time of Execution for the Ransomware Note:
Discovering the Installer Name:
Identifying the Download Location of the Installer:
File Extension Used by the Ransomware:
IP Address Contacted by the Installer:
Attacker’s Source IP via RDP:
Finding When the Decryptor Was Run:
Building a Timeline:
Room Answers | TryHackMe Retracted
Room answers can be found here
Video Walkthrough | TryHackMe Retracted