The Ransomware that helped its victim restore her files | TryHackMe Retracted

The video is a walkthrough of the Retracted room from TryHackMe, which focuses on a ransomware case study. The ransomware addressed in this challenge quickly allowed the victim to restore access to her files. It was an interesting case study laid down by TryHackMe Retracted room. Additionally, the video demonstrates how to use  Windows Event Viewer to analyze logs, track events, and piece together a timeline in a ransomware attack scenario. The focus is on using event IDs to trace actions such as process creation, network activity, and remote logins. By organizing events in a chronological order, the investigator is able to understand how the attack unfolded.

Please watch the video at the bottom for full detailed explanation of the walkthrough.

Overview

The scenario revolves around a ransomware attack on a user’s computer, with the files encrypted and then mysteriously decrypted. The user’s son is tasked with uncovering the details of the attack.

Ransomware Investigation

Identifying the Program that Created the Ransomware Note:

• The investigation starts by accessing Windows Event Viewer to examine Sysmon events, specifically process creation events (event ID 1). Filtering these logs for events containing the ransomware note’s name (e.g., “Sophie”) leads to discovering that Notepad was used to create the note.

Finding the Time of Execution for the Ransomware Note:

• The next step is to find the exact timestamp of the Notepad process creation by filtering event ID 1 again. By examining logs that reference the ransomware note, the execution timestamp is identified.

Discovering the Installer Name:

• By looking into the browser history or downloads folder, the name of the installer file responsible for the ransomware infection is found, which in this case was labeled “antivirus”.

Identifying the Download Location of the Installer:

• The file path of the downloaded installer is obtained by right-clicking the file, selecting properties, and copying the download location.

File Extension Used by the Ransomware:

• Returning to the Windows Event Viewer, investigators search for file creation events related to the ransomware installer and identify that the ransomware appends a “.dmp” extension to the encrypted files.

IP Address Contacted by the Installer:

• By narrowing the search to network connection events (event ID 3), the IP address that the installer reached out to is uncovered.

Attacker’s Source IP via RDP:

• After the installer download, the attacker logged in via RDP (Remote Desktop Protocol). Filtering RDP-related events in the logs reveals the source IP address of the attacker’s machine.

Finding When the Decryptor Was Run:

• The attacker later used a decryptor to restore the encrypted files. By filtering logs for decryptor execution, the exact timestamp of when the file was run is determined.

Building a Timeline:

• The final task involves organizing events in the correct chronological order:
• The user downloads the ransomware installer.
• The ransomware encrypts the system files.
• The user reaches out to her son for help.
• The attacker logs in via RDP.
• The attacker decrypts the files and leaves a note.
• The investigation into the ransomware begins.

Room Answers | TryHackMe Retracted

Room answers can be found here

Video Walkthrough | TryHackMe Retracted