Decrypting hidden tear ransomware

Let's see another example with hidden tear ransomware. Consider a scenario where hidden tear ransomware has locked files on a Windows 10 system, and the situation is pretty bad, as shown in the following screenshot:

It looks like the files are encrypted. Let's try opening a file as follows:

Yes—the contents of the file are encrypted. Luckily for us, we have a PCAP of the fully captured data with us. Let's start our analysis:

We can see we have a fairly large PCAP file, containing a good amount of HTTP data. ...

Get Hands-On Network Forensics now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.