Where is my Ransom? Hunting for Ransomware Gangs using radare2 and Yara


ansomware gangs have gotten better and more aggressive over the past years. Their used malware is well developed and some offer ransomware-as-a-service. Specific threat actors publish the collected data, if victims do not pay the demanded ransom. This evolvement made this area an interesting research domain for me. My goal is to collect the newest samples of specific ransomware gangs and understand the different actors. I aim to share IOCs, TTPs and other insights with the community. My research should allow people, companies and other institutions to protect themselves from ransomware attacks. At the beginning of this project, I started to analyse samples from different reports by hand. To do this, I used Cutter. This task was very time consuming. In addition, I was not able to gain new insights after analysing a few samples for a specific group. The collected IOCs and TTPs were already know. So I was not able to generate benefit for anyone. So I started to raise the following question: How am I able to collect new samples for specific groups? I identified two options: First, by waiting for new incidents and the corresponding reports. Second, by hunting for ransomware gangs. Obviously, the first option is not very expedient. So I decided to hunt using Yara. I used VirusTotal and Hybrid Analysis to perform my hunts. In my talk, I will quickly explain the goal of Yara and its capabilities. In addition, I will quickly go over the syntax and present best practices I learned after failing miserably at the beginning (more in my example section of the talk). Next, I will explain how I created Yara rules using different tools around r2 (especially Cutter). I will illustrate this for two rules: The maze and clop ransomware. For each rule, I will go in detail how I created and tested them. In addition, I will explain, how I miserably failed at the beginning and what I learned during the journey.