Disassembling ransomware decryption tool What’s inside the decryption tool? How does the decryption tool work? Ransomware Recovery


Ransomware attacks are on rising and becoming more sophisticated. Companies without little to no backup plan, struggle the most. As we know with ransomware attacks comes encryption. And it is a real pain to decrypt any files without a key. So that kept me thinking, how is this decryption tool able to handle the task without a key.

In this post, we will look at the ransomware decryption tool and its working. The objective of this post will be to understand how the ransomware recovery tool works on decryption files on the infected machines or for some tools get the decryption key.

To get started I begin looking at the most common and popular tools available to decrypt files from ransomware attacks.

You can start looking at the following websites for that:

Other Methods of Decryption

Before we look at how the decryption tools work, let take a seek to peek at other methods of decryption

  • Reverse engineer ransomware executable
  • Analyze process memory dump of ransomware process
  • Brute force the key

Reverse Engineer Ransomware Executable

If you are lucky and have been affected by older ransomware, it might contain a hard-coded password to decrypt. And it can be extracted using the simple debugger and assembly editor tools like dnspy for .net written ransomware. If that didn’t work let’s check out other methods.

Hard-coded password for decryption

Analyze Process Memory Dump for Ransomware Process

With more sophisticated ransomware passwords might be revealed in memory during the running stage. You can perform memory dump using simple tools like Process Hacker and use Hex editor to analyze the data used stored in memory by ransomware.

Example: How to perform memory dump using Process Hacker

Brute Force the Key

If you are unlucky and the above-mentioned methods did not work then your only option is to brute force the decryption key and if the ransomware is using some advanced encryption algorithm then good luck cracking the key in years.

Simple Method of Decryption. Ransomware Decyption Tool

So since all the other options were discussed, let’s dive deep into our first and easy option: that is to use the decryption tool from the mentioned website.

Emsisoft Ransomware Decryption Tool

As with the working you simply need to upload an encrypted file and it will show what ransomware it is and redirect you to the decryption tool. Now you simply run the tool and select the folder you want to decrypt and start the process. There are tools available for most ransomware.

What’s Inside Ransomware Decryption Tool

For a sample, I choose Emsisoft Jigsaw Decryptor. So let see how it works:

The first thing that we see is the application loader. Not anything important for us.

What’s inside 1

Next is Jigsaw with a config file called “BaseKeyFile” with the parameter “keyfile”.

What’s inside 2

Here is the content of the “Keyfile” and it gives away it has predefined keys collected from various samples.

What’s inside 3

This decryptor was easy to analyze but to conclude there can be various decryptor that uses same techniques with prebuild dictionary with decryption keys collected from samples and ransomware attacks and trying different keys to decrypt.




1 thought on “Disassembling ransomware decryption tool What’s inside the decryption tool? How does the decryption tool work? Ransomware Recovery”

Leave a Comment