{"id":508,"date":"2021-08-22T10:26:44","date_gmt":"2021-08-22T14:26:44","guid":{"rendered":"https:\/\/snehpatel.com\/?p=508"},"modified":"2021-08-22T10:26:47","modified_gmt":"2021-08-22T14:26:47","slug":"disassembling-ransomware-decryption-tool-whats-inside-the-decryption-tool-how-does-the-decryption-tool-work-ransomware-recovery","status":"publish","type":"post","link":"https:\/\/snehpatel.com\/index.php\/2021\/08\/22\/disassembling-ransomware-decryption-tool-whats-inside-the-decryption-tool-how-does-the-decryption-tool-work-ransomware-recovery\/","title":{"rendered":"Disassembling ransomware decryption tool What\u2019s inside the decryption tool?           How does the decryption tool work? Ransomware Recovery"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\"><strong><em>Intro<\/em><\/strong><\/h2>\n\n\n\n<p>Ransomware attacks are on rising and becoming more sophisticated. Companies without little to no backup plan, struggle the most. As we know with ransomware attacks comes encryption. And it is a real pain to decrypt any files without a key. So that kept me thinking, how is this decryption tool able to handle the task without a key.<\/p>\n\n\n\n<p>In this post, we will look at the ransomware decryption tool and its working. The objective of this post will be to understand how the ransomware recovery tool works on decryption files on the infected machines or for some tools get the decryption key.<\/p>\n\n\n\n<p>To get started I begin looking at the most common and popular tools available to decrypt files from ransomware attacks.<\/p>\n\n\n\n<p>You can start looking at the following websites for that:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><a href=\"https:\/\/www.nomoreransom.org\">https:\/\/www.nomoreransom.org<\/a> (One of the great free site to deal with ransomware)<\/li><li><a href=\"https:\/\/www.emsisoft.com\/ransomware-decryption-tools\/\">https:\/\/www.emsisoft.com\/ransomware-decryption-tools\/<\/a><\/li><li><a href=\"https:\/\/noransom.kaspersky.com\/\">https:\/\/noransom.kaspersky.com\/<\/a><\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><strong><em>Other Methods of Decryption<\/em><\/strong><\/h2>\n\n\n\n<p>Before we look at how the decryption tools work, let take a seek to peek at other methods of decryption<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Reverse engineer ransomware executable<\/li><li>Analyze process memory dump of ransomware process<\/li><li>Brute force the key<\/li><\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong><em>Reverse Engineer Ransomware Executable<\/em><\/strong><\/h3>\n\n\n\n<p>If you are lucky and have been affected by older ransomware, it might contain a hard-coded password to decrypt. And it can be extracted using the simple debugger and assembly editor tools like dnspy for .net written ransomware. If that didn&#8217;t work let&#8217;s check out other methods.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"574\" data-attachment-id=\"509\" data-permalink=\"https:\/\/snehpatel.com\/index.php\/2021\/08\/22\/disassembling-ransomware-decryption-tool-whats-inside-the-decryption-tool-how-does-the-decryption-tool-work-ransomware-recovery\/image\/#main\" data-orig-file=\"https:\/\/i0.wp.com\/snehpatel.com\/wp-content\/uploads\/2021\/08\/image.png?fit=1299%2C728&amp;ssl=1\" data-orig-size=\"1299,728\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"image\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/snehpatel.com\/wp-content\/uploads\/2021\/08\/image.png?fit=1024%2C574&amp;ssl=1\" src=\"https:\/\/i0.wp.com\/snehpatel.com\/wp-content\/uploads\/2021\/08\/image.png?resize=1024%2C574&#038;ssl=1\" alt=\"\" class=\"wp-image-509\" srcset=\"https:\/\/i0.wp.com\/snehpatel.com\/wp-content\/uploads\/2021\/08\/image.png?resize=1024%2C574&amp;ssl=1 1024w, https:\/\/i0.wp.com\/snehpatel.com\/wp-content\/uploads\/2021\/08\/image.png?resize=300%2C168&amp;ssl=1 300w, https:\/\/i0.wp.com\/snehpatel.com\/wp-content\/uploads\/2021\/08\/image.png?resize=768%2C430&amp;ssl=1 768w, https:\/\/i0.wp.com\/snehpatel.com\/wp-content\/uploads\/2021\/08\/image.png?w=1299&amp;ssl=1 1299w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption>Hard-coded password for decryption<\/figcaption><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\"><strong><em>Analyze Process Memory Dump for Ransomware Process<\/em><\/strong><\/h3>\n\n\n\n<p>With more sophisticated ransomware passwords might be revealed in memory during the running stage. You can perform memory dump using simple tools like Process Hacker and use Hex editor to analyze the data used stored in memory by ransomware.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"906\" height=\"527\" data-attachment-id=\"510\" data-permalink=\"https:\/\/snehpatel.com\/index.php\/2021\/08\/22\/disassembling-ransomware-decryption-tool-whats-inside-the-decryption-tool-how-does-the-decryption-tool-work-ransomware-recovery\/image-1-2\/#main\" data-orig-file=\"https:\/\/i0.wp.com\/snehpatel.com\/wp-content\/uploads\/2021\/08\/image-1.png?fit=906%2C527&amp;ssl=1\" data-orig-size=\"906,527\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"image-1\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/snehpatel.com\/wp-content\/uploads\/2021\/08\/image-1.png?fit=906%2C527&amp;ssl=1\" src=\"https:\/\/i0.wp.com\/snehpatel.com\/wp-content\/uploads\/2021\/08\/image-1.png?resize=906%2C527&#038;ssl=1\" alt=\"\" class=\"wp-image-510\" srcset=\"https:\/\/i0.wp.com\/snehpatel.com\/wp-content\/uploads\/2021\/08\/image-1.png?w=906&amp;ssl=1 906w, https:\/\/i0.wp.com\/snehpatel.com\/wp-content\/uploads\/2021\/08\/image-1.png?resize=300%2C175&amp;ssl=1 300w, https:\/\/i0.wp.com\/snehpatel.com\/wp-content\/uploads\/2021\/08\/image-1.png?resize=768%2C447&amp;ssl=1 768w\" sizes=\"auto, (max-width: 906px) 100vw, 906px\" \/><figcaption>Example: How to perform memory dump using Process Hacker<\/figcaption><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\"><strong><em>Brute Force the Key<\/em><\/strong><\/h3>\n\n\n\n<p>If you are unlucky and the above-mentioned methods did not work then your only option is to brute force the decryption key and if the ransomware is using some advanced encryption algorithm then good luck cracking the key in years.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong><em>Simple Method of Decryption. Ransomware Decyption Tool<\/em><\/strong><\/h2>\n\n\n\n<p>So since all the other options were discussed, let&#8217;s dive deep into our first and easy option: that is to use the decryption tool from the mentioned website.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"645\" data-attachment-id=\"511\" data-permalink=\"https:\/\/snehpatel.com\/index.php\/2021\/08\/22\/disassembling-ransomware-decryption-tool-whats-inside-the-decryption-tool-how-does-the-decryption-tool-work-ransomware-recovery\/image-2-2\/#main\" data-orig-file=\"https:\/\/i0.wp.com\/snehpatel.com\/wp-content\/uploads\/2021\/08\/image-2.png?fit=1285%2C809&amp;ssl=1\" data-orig-size=\"1285,809\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"image-2\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/snehpatel.com\/wp-content\/uploads\/2021\/08\/image-2.png?fit=1024%2C645&amp;ssl=1\" src=\"https:\/\/i0.wp.com\/snehpatel.com\/wp-content\/uploads\/2021\/08\/image-2.png?resize=1024%2C645&#038;ssl=1\" alt=\"\" class=\"wp-image-511\" srcset=\"https:\/\/i0.wp.com\/snehpatel.com\/wp-content\/uploads\/2021\/08\/image-2.png?resize=1024%2C645&amp;ssl=1 1024w, https:\/\/i0.wp.com\/snehpatel.com\/wp-content\/uploads\/2021\/08\/image-2.png?resize=300%2C189&amp;ssl=1 300w, https:\/\/i0.wp.com\/snehpatel.com\/wp-content\/uploads\/2021\/08\/image-2.png?resize=768%2C484&amp;ssl=1 768w, https:\/\/i0.wp.com\/snehpatel.com\/wp-content\/uploads\/2021\/08\/image-2.png?w=1285&amp;ssl=1 1285w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption>Emsisoft Ransomware Decryption Tool<\/figcaption><\/figure>\n\n\n\n<p>As with the working you simply need to upload an encrypted file and it will show what ransomware it is and redirect you to the decryption tool. Now you simply run the tool and select the folder you want to decrypt and start the process. There are tools available for most ransomware.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong><em>What&#8217;s Inside Ransomware Decryption Tool<\/em><\/strong><\/h2>\n\n\n\n<p>For a sample, I choose Emsisoft Jigsaw Decryptor. So let see how it works:<\/p>\n\n\n\n<p>The first thing that we see is the application loader. Not anything important for us.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"577\" data-attachment-id=\"512\" data-permalink=\"https:\/\/snehpatel.com\/index.php\/2021\/08\/22\/disassembling-ransomware-decryption-tool-whats-inside-the-decryption-tool-how-does-the-decryption-tool-work-ransomware-recovery\/image-3\/#main\" data-orig-file=\"https:\/\/i0.wp.com\/snehpatel.com\/wp-content\/uploads\/2021\/08\/image-3.png?fit=1295%2C730&amp;ssl=1\" data-orig-size=\"1295,730\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"image-3\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/snehpatel.com\/wp-content\/uploads\/2021\/08\/image-3.png?fit=1024%2C577&amp;ssl=1\" src=\"https:\/\/i0.wp.com\/snehpatel.com\/wp-content\/uploads\/2021\/08\/image-3.png?resize=1024%2C577&#038;ssl=1\" alt=\"\" class=\"wp-image-512\" srcset=\"https:\/\/i0.wp.com\/snehpatel.com\/wp-content\/uploads\/2021\/08\/image-3.png?resize=1024%2C577&amp;ssl=1 1024w, https:\/\/i0.wp.com\/snehpatel.com\/wp-content\/uploads\/2021\/08\/image-3.png?resize=300%2C169&amp;ssl=1 300w, https:\/\/i0.wp.com\/snehpatel.com\/wp-content\/uploads\/2021\/08\/image-3.png?resize=768%2C433&amp;ssl=1 768w, https:\/\/i0.wp.com\/snehpatel.com\/wp-content\/uploads\/2021\/08\/image-3.png?w=1295&amp;ssl=1 1295w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption>What&#8217;s inside 1<\/figcaption><\/figure>\n\n\n\n<p>Next is Jigsaw with a config file called &#8220;BaseKeyFile&#8221; with the parameter &#8220;keyfile&#8221;.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"419\" data-attachment-id=\"514\" data-permalink=\"https:\/\/snehpatel.com\/index.php\/2021\/08\/22\/disassembling-ransomware-decryption-tool-whats-inside-the-decryption-tool-how-does-the-decryption-tool-work-ransomware-recovery\/image-4\/#main\" data-orig-file=\"https:\/\/i0.wp.com\/snehpatel.com\/wp-content\/uploads\/2021\/08\/image-4.png?fit=1278%2C523&amp;ssl=1\" data-orig-size=\"1278,523\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"image-4\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/snehpatel.com\/wp-content\/uploads\/2021\/08\/image-4.png?fit=1024%2C419&amp;ssl=1\" src=\"https:\/\/i0.wp.com\/snehpatel.com\/wp-content\/uploads\/2021\/08\/image-4.png?resize=1024%2C419&#038;ssl=1\" alt=\"\" class=\"wp-image-514\" srcset=\"https:\/\/i0.wp.com\/snehpatel.com\/wp-content\/uploads\/2021\/08\/image-4.png?resize=1024%2C419&amp;ssl=1 1024w, https:\/\/i0.wp.com\/snehpatel.com\/wp-content\/uploads\/2021\/08\/image-4.png?resize=300%2C123&amp;ssl=1 300w, https:\/\/i0.wp.com\/snehpatel.com\/wp-content\/uploads\/2021\/08\/image-4.png?resize=768%2C314&amp;ssl=1 768w, https:\/\/i0.wp.com\/snehpatel.com\/wp-content\/uploads\/2021\/08\/image-4.png?w=1278&amp;ssl=1 1278w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption>What&#8217;s inside 2<\/figcaption><\/figure>\n\n\n\n<p>Here is the content of the &#8220;Keyfile&#8221; and it gives away it has predefined keys collected from various samples.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1017\" height=\"459\" data-attachment-id=\"515\" data-permalink=\"https:\/\/snehpatel.com\/index.php\/2021\/08\/22\/disassembling-ransomware-decryption-tool-whats-inside-the-decryption-tool-how-does-the-decryption-tool-work-ransomware-recovery\/image-5\/#main\" data-orig-file=\"https:\/\/i0.wp.com\/snehpatel.com\/wp-content\/uploads\/2021\/08\/image-5.png?fit=1017%2C459&amp;ssl=1\" data-orig-size=\"1017,459\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"image-5\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/snehpatel.com\/wp-content\/uploads\/2021\/08\/image-5.png?fit=1017%2C459&amp;ssl=1\" src=\"https:\/\/i0.wp.com\/snehpatel.com\/wp-content\/uploads\/2021\/08\/image-5.png?resize=1017%2C459&#038;ssl=1\" alt=\"\" class=\"wp-image-515\" srcset=\"https:\/\/i0.wp.com\/snehpatel.com\/wp-content\/uploads\/2021\/08\/image-5.png?w=1017&amp;ssl=1 1017w, https:\/\/i0.wp.com\/snehpatel.com\/wp-content\/uploads\/2021\/08\/image-5.png?resize=300%2C135&amp;ssl=1 300w, https:\/\/i0.wp.com\/snehpatel.com\/wp-content\/uploads\/2021\/08\/image-5.png?resize=768%2C347&amp;ssl=1 768w\" sizes=\"auto, (max-width: 1017px) 100vw, 1017px\" \/><figcaption>What&#8217;s inside 3<\/figcaption><\/figure>\n\n\n\n<p>This decryptor was easy to analyze but to conclude there can be various decryptor that uses same techniques with prebuild dictionary with decryption keys collected from samples and ransomware attacks and trying different keys to decrypt.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong><em>References:<\/em><\/strong><\/h2>\n\n\n\n<p><a href=\"https:\/\/thepcsecuritychannel.com\/\">https:\/\/thepcsecuritychannel.com\/<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/www.emsisoft.com\/ransomware-decryption-tools\/\">https:\/\/www.emsisoft.com\/ransomware-decryption-tools\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Intro Ransomware attacks are on rising and becoming more sophisticated. Companies without little to no backup plan, struggle the most. As we know with ransomware attacks comes encryption. And it is a real pain to decrypt any files without a key. So that kept me thinking, how is this decryption tool able to handle the &#8230; <a title=\"Disassembling ransomware decryption tool What\u2019s inside the decryption tool?           How does the decryption tool work? Ransomware Recovery\" class=\"read-more\" href=\"https:\/\/snehpatel.com\/index.php\/2021\/08\/22\/disassembling-ransomware-decryption-tool-whats-inside-the-decryption-tool-how-does-the-decryption-tool-work-ransomware-recovery\/\" aria-label=\"Read more about Disassembling ransomware decryption tool What\u2019s inside the decryption tool?           How does the decryption tool work? Ransomware Recovery\">Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[82,74,6,75,76,77,83,73,59],"tags":[80,78,79,81],"class_list":["post-508","post","type-post","status-publish","format-standard","hentry","category-guide","category-malware-analysis","category-opensource","category-ransomware","category-ransomware-malware-analysis","category-ransomware-decryption-tool","category-ransomware-recovery","category-reverse-engineering","category-security","tag-decryption-tool","tag-ransomware","tag-ransomware-decryption-tool","tag-ransomware-recovery"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.3 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Disassembling ransomware decryption tool What\u2019s inside the decryption tool?      How does the decryption tool work? Ransomware Recovery - Sneh Patel<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/snehpatel.com\/index.php\/2021\/08\/22\/disassembling-ransomware-decryption-tool-whats-inside-the-decryption-tool-how-does-the-decryption-tool-work-ransomware-recovery\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Disassembling ransomware decryption tool What\u2019s inside the decryption tool?      How does the decryption tool work? Ransomware Recovery - Sneh Patel\" \/>\n<meta property=\"og:description\" content=\"Intro Ransomware attacks are on rising and becoming more sophisticated. Companies without little to no backup plan, struggle the most. As we know with ransomware attacks comes encryption. And it is a real pain to decrypt any files without a key. So that kept me thinking, how is this decryption tool able to handle the ... Read more\" \/>\n<meta property=\"og:url\" content=\"https:\/\/snehpatel.com\/index.php\/2021\/08\/22\/disassembling-ransomware-decryption-tool-whats-inside-the-decryption-tool-how-does-the-decryption-tool-work-ransomware-recovery\/\" \/>\n<meta property=\"og:site_name\" content=\"Sneh Patel\" \/>\n<meta property=\"article:published_time\" content=\"2021-08-22T14:26:44+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-08-22T14:26:47+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/snehpatel.com\/wp-content\/uploads\/2021\/08\/image-1024x574.png\" \/>\n<meta name=\"author\" content=\"Sneh Patel\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Sneh Patel\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/snehpatel.com\\\/index.php\\\/2021\\\/08\\\/22\\\/disassembling-ransomware-decryption-tool-whats-inside-the-decryption-tool-how-does-the-decryption-tool-work-ransomware-recovery\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/snehpatel.com\\\/index.php\\\/2021\\\/08\\\/22\\\/disassembling-ransomware-decryption-tool-whats-inside-the-decryption-tool-how-does-the-decryption-tool-work-ransomware-recovery\\\/\"},\"author\":{\"name\":\"Sneh Patel\",\"@id\":\"https:\\\/\\\/snehpatel.com\\\/#\\\/schema\\\/person\\\/a39105bc63f7e11a0e07b12a4c3dda73\"},\"headline\":\"Disassembling ransomware decryption tool What\u2019s inside the decryption tool? How does the decryption tool work? Ransomware Recovery\",\"datePublished\":\"2021-08-22T14:26:44+00:00\",\"dateModified\":\"2021-08-22T14:26:47+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/snehpatel.com\\\/index.php\\\/2021\\\/08\\\/22\\\/disassembling-ransomware-decryption-tool-whats-inside-the-decryption-tool-how-does-the-decryption-tool-work-ransomware-recovery\\\/\"},\"wordCount\":575,\"commentCount\":1,\"publisher\":{\"@id\":\"https:\\\/\\\/snehpatel.com\\\/#\\\/schema\\\/person\\\/a39105bc63f7e11a0e07b12a4c3dda73\"},\"image\":{\"@id\":\"https:\\\/\\\/snehpatel.com\\\/index.php\\\/2021\\\/08\\\/22\\\/disassembling-ransomware-decryption-tool-whats-inside-the-decryption-tool-how-does-the-decryption-tool-work-ransomware-recovery\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/snehpatel.com\\\/wp-content\\\/uploads\\\/2021\\\/08\\\/image-1024x574.png\",\"keywords\":[\"decryption tool\",\"ransomware\",\"ransomware decryption tool\",\"ransomware recovery\"],\"articleSection\":[\"Guide\",\"Malware Analysis\",\"opensource\",\"Ransomware\",\"Ransomware\",\"Ransomware Decryption Tool\",\"Ransomware Recovery\",\"Reverse Engineering\",\"Security\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/snehpatel.com\\\/index.php\\\/2021\\\/08\\\/22\\\/disassembling-ransomware-decryption-tool-whats-inside-the-decryption-tool-how-does-the-decryption-tool-work-ransomware-recovery\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/snehpatel.com\\\/index.php\\\/2021\\\/08\\\/22\\\/disassembling-ransomware-decryption-tool-whats-inside-the-decryption-tool-how-does-the-decryption-tool-work-ransomware-recovery\\\/\",\"url\":\"https:\\\/\\\/snehpatel.com\\\/index.php\\\/2021\\\/08\\\/22\\\/disassembling-ransomware-decryption-tool-whats-inside-the-decryption-tool-how-does-the-decryption-tool-work-ransomware-recovery\\\/\",\"name\":\"Disassembling ransomware decryption tool What\u2019s inside the decryption tool? How does the decryption tool work? Ransomware Recovery - Sneh Patel\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/snehpatel.com\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/snehpatel.com\\\/index.php\\\/2021\\\/08\\\/22\\\/disassembling-ransomware-decryption-tool-whats-inside-the-decryption-tool-how-does-the-decryption-tool-work-ransomware-recovery\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/snehpatel.com\\\/index.php\\\/2021\\\/08\\\/22\\\/disassembling-ransomware-decryption-tool-whats-inside-the-decryption-tool-how-does-the-decryption-tool-work-ransomware-recovery\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/snehpatel.com\\\/wp-content\\\/uploads\\\/2021\\\/08\\\/image-1024x574.png\",\"datePublished\":\"2021-08-22T14:26:44+00:00\",\"dateModified\":\"2021-08-22T14:26:47+00:00\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/snehpatel.com\\\/index.php\\\/2021\\\/08\\\/22\\\/disassembling-ransomware-decryption-tool-whats-inside-the-decryption-tool-how-does-the-decryption-tool-work-ransomware-recovery\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/snehpatel.com\\\/index.php\\\/2021\\\/08\\\/22\\\/disassembling-ransomware-decryption-tool-whats-inside-the-decryption-tool-how-does-the-decryption-tool-work-ransomware-recovery\\\/#primaryimage\",\"url\":\"https:\\\/\\\/i0.wp.com\\\/snehpatel.com\\\/wp-content\\\/uploads\\\/2021\\\/08\\\/image.png?fit=1299%2C728&ssl=1\",\"contentUrl\":\"https:\\\/\\\/i0.wp.com\\\/snehpatel.com\\\/wp-content\\\/uploads\\\/2021\\\/08\\\/image.png?fit=1299%2C728&ssl=1\",\"width\":1299,\"height\":728},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/snehpatel.com\\\/#website\",\"url\":\"https:\\\/\\\/snehpatel.com\\\/\",\"name\":\"Sneh Patel\",\"description\":\"Cyber Security Blog\",\"publisher\":{\"@id\":\"https:\\\/\\\/snehpatel.com\\\/#\\\/schema\\\/person\\\/a39105bc63f7e11a0e07b12a4c3dda73\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/snehpatel.com\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\\\/\\\/snehpatel.com\\\/#\\\/schema\\\/person\\\/a39105bc63f7e11a0e07b12a4c3dda73\",\"name\":\"Sneh Patel\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/i0.wp.com\\\/snehpatel.com\\\/wp-content\\\/uploads\\\/2020\\\/09\\\/cropped-Slide4-1.jpg?fit=672%2C222&ssl=1\",\"url\":\"https:\\\/\\\/i0.wp.com\\\/snehpatel.com\\\/wp-content\\\/uploads\\\/2020\\\/09\\\/cropped-Slide4-1.jpg?fit=672%2C222&ssl=1\",\"contentUrl\":\"https:\\\/\\\/i0.wp.com\\\/snehpatel.com\\\/wp-content\\\/uploads\\\/2020\\\/09\\\/cropped-Slide4-1.jpg?fit=672%2C222&ssl=1\",\"width\":672,\"height\":222,\"caption\":\"Sneh Patel\"},\"logo\":{\"@id\":\"https:\\\/\\\/i0.wp.com\\\/snehpatel.com\\\/wp-content\\\/uploads\\\/2020\\\/09\\\/cropped-Slide4-1.jpg?fit=672%2C222&ssl=1\"},\"sameAs\":[\"http:\\\/\\\/snehpatel.com\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Disassembling ransomware decryption tool What\u2019s inside the decryption tool?      How does the decryption tool work? Ransomware Recovery - Sneh Patel","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/snehpatel.com\/index.php\/2021\/08\/22\/disassembling-ransomware-decryption-tool-whats-inside-the-decryption-tool-how-does-the-decryption-tool-work-ransomware-recovery\/","og_locale":"en_US","og_type":"article","og_title":"Disassembling ransomware decryption tool What\u2019s inside the decryption tool?      How does the decryption tool work? Ransomware Recovery - Sneh Patel","og_description":"Intro Ransomware attacks are on rising and becoming more sophisticated. Companies without little to no backup plan, struggle the most. As we know with ransomware attacks comes encryption. And it is a real pain to decrypt any files without a key. So that kept me thinking, how is this decryption tool able to handle the ... Read more","og_url":"https:\/\/snehpatel.com\/index.php\/2021\/08\/22\/disassembling-ransomware-decryption-tool-whats-inside-the-decryption-tool-how-does-the-decryption-tool-work-ransomware-recovery\/","og_site_name":"Sneh Patel","article_published_time":"2021-08-22T14:26:44+00:00","article_modified_time":"2021-08-22T14:26:47+00:00","og_image":[{"url":"https:\/\/snehpatel.com\/wp-content\/uploads\/2021\/08\/image-1024x574.png","type":"","width":"","height":""}],"author":"Sneh Patel","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Sneh Patel","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/snehpatel.com\/index.php\/2021\/08\/22\/disassembling-ransomware-decryption-tool-whats-inside-the-decryption-tool-how-does-the-decryption-tool-work-ransomware-recovery\/#article","isPartOf":{"@id":"https:\/\/snehpatel.com\/index.php\/2021\/08\/22\/disassembling-ransomware-decryption-tool-whats-inside-the-decryption-tool-how-does-the-decryption-tool-work-ransomware-recovery\/"},"author":{"name":"Sneh Patel","@id":"https:\/\/snehpatel.com\/#\/schema\/person\/a39105bc63f7e11a0e07b12a4c3dda73"},"headline":"Disassembling ransomware decryption tool What\u2019s inside the decryption tool? How does the decryption tool work? Ransomware Recovery","datePublished":"2021-08-22T14:26:44+00:00","dateModified":"2021-08-22T14:26:47+00:00","mainEntityOfPage":{"@id":"https:\/\/snehpatel.com\/index.php\/2021\/08\/22\/disassembling-ransomware-decryption-tool-whats-inside-the-decryption-tool-how-does-the-decryption-tool-work-ransomware-recovery\/"},"wordCount":575,"commentCount":1,"publisher":{"@id":"https:\/\/snehpatel.com\/#\/schema\/person\/a39105bc63f7e11a0e07b12a4c3dda73"},"image":{"@id":"https:\/\/snehpatel.com\/index.php\/2021\/08\/22\/disassembling-ransomware-decryption-tool-whats-inside-the-decryption-tool-how-does-the-decryption-tool-work-ransomware-recovery\/#primaryimage"},"thumbnailUrl":"https:\/\/snehpatel.com\/wp-content\/uploads\/2021\/08\/image-1024x574.png","keywords":["decryption tool","ransomware","ransomware decryption tool","ransomware recovery"],"articleSection":["Guide","Malware Analysis","opensource","Ransomware","Ransomware","Ransomware Decryption Tool","Ransomware Recovery","Reverse Engineering","Security"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/snehpatel.com\/index.php\/2021\/08\/22\/disassembling-ransomware-decryption-tool-whats-inside-the-decryption-tool-how-does-the-decryption-tool-work-ransomware-recovery\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/snehpatel.com\/index.php\/2021\/08\/22\/disassembling-ransomware-decryption-tool-whats-inside-the-decryption-tool-how-does-the-decryption-tool-work-ransomware-recovery\/","url":"https:\/\/snehpatel.com\/index.php\/2021\/08\/22\/disassembling-ransomware-decryption-tool-whats-inside-the-decryption-tool-how-does-the-decryption-tool-work-ransomware-recovery\/","name":"Disassembling ransomware decryption tool What\u2019s inside the decryption tool? How does the decryption tool work? Ransomware Recovery - Sneh Patel","isPartOf":{"@id":"https:\/\/snehpatel.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/snehpatel.com\/index.php\/2021\/08\/22\/disassembling-ransomware-decryption-tool-whats-inside-the-decryption-tool-how-does-the-decryption-tool-work-ransomware-recovery\/#primaryimage"},"image":{"@id":"https:\/\/snehpatel.com\/index.php\/2021\/08\/22\/disassembling-ransomware-decryption-tool-whats-inside-the-decryption-tool-how-does-the-decryption-tool-work-ransomware-recovery\/#primaryimage"},"thumbnailUrl":"https:\/\/snehpatel.com\/wp-content\/uploads\/2021\/08\/image-1024x574.png","datePublished":"2021-08-22T14:26:44+00:00","dateModified":"2021-08-22T14:26:47+00:00","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/snehpatel.com\/index.php\/2021\/08\/22\/disassembling-ransomware-decryption-tool-whats-inside-the-decryption-tool-how-does-the-decryption-tool-work-ransomware-recovery\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/snehpatel.com\/index.php\/2021\/08\/22\/disassembling-ransomware-decryption-tool-whats-inside-the-decryption-tool-how-does-the-decryption-tool-work-ransomware-recovery\/#primaryimage","url":"https:\/\/i0.wp.com\/snehpatel.com\/wp-content\/uploads\/2021\/08\/image.png?fit=1299%2C728&ssl=1","contentUrl":"https:\/\/i0.wp.com\/snehpatel.com\/wp-content\/uploads\/2021\/08\/image.png?fit=1299%2C728&ssl=1","width":1299,"height":728},{"@type":"WebSite","@id":"https:\/\/snehpatel.com\/#website","url":"https:\/\/snehpatel.com\/","name":"Sneh Patel","description":"Cyber Security Blog","publisher":{"@id":"https:\/\/snehpatel.com\/#\/schema\/person\/a39105bc63f7e11a0e07b12a4c3dda73"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/snehpatel.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":["Person","Organization"],"@id":"https:\/\/snehpatel.com\/#\/schema\/person\/a39105bc63f7e11a0e07b12a4c3dda73","name":"Sneh Patel","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/i0.wp.com\/snehpatel.com\/wp-content\/uploads\/2020\/09\/cropped-Slide4-1.jpg?fit=672%2C222&ssl=1","url":"https:\/\/i0.wp.com\/snehpatel.com\/wp-content\/uploads\/2020\/09\/cropped-Slide4-1.jpg?fit=672%2C222&ssl=1","contentUrl":"https:\/\/i0.wp.com\/snehpatel.com\/wp-content\/uploads\/2020\/09\/cropped-Slide4-1.jpg?fit=672%2C222&ssl=1","width":672,"height":222,"caption":"Sneh Patel"},"logo":{"@id":"https:\/\/i0.wp.com\/snehpatel.com\/wp-content\/uploads\/2020\/09\/cropped-Slide4-1.jpg?fit=672%2C222&ssl=1"},"sameAs":["http:\/\/snehpatel.com"]}]}},"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/snehpatel.com\/index.php\/wp-json\/wp\/v2\/posts\/508","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/snehpatel.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/snehpatel.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/snehpatel.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/snehpatel.com\/index.php\/wp-json\/wp\/v2\/comments?post=508"}],"version-history":[{"count":3,"href":"https:\/\/snehpatel.com\/index.php\/wp-json\/wp\/v2\/posts\/508\/revisions"}],"predecessor-version":[{"id":517,"href":"https:\/\/snehpatel.com\/index.php\/wp-json\/wp\/v2\/posts\/508\/revisions\/517"}],"wp:attachment":[{"href":"https:\/\/snehpatel.com\/index.php\/wp-json\/wp\/v2\/media?parent=508"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/snehpatel.com\/index.php\/wp-json\/wp\/v2\/categories?post=508"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/snehpatel.com\/index.php\/wp-json\/wp\/v2\/tags?post=508"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}