Let's see another example with hidden tear ransomware. Consider a scenario where hidden tear ransomware has locked files on a Windows 10 system, and the situation is pretty bad, as shown in the following screenshot:
It looks like the files are encrypted. Let's try opening a file as follows:
Yes—the contents of the file are encrypted. Luckily for us, we have a PCAP of the fully captured data with us. Let's start our analysis:
We can see we have a fairly large PCAP file, containing a good amount of HTTP data. Since we know that malwares have issues with user-agents, display the full user-agent and URI data in Wireshark as we did in the earlier examples:
We can see that most of the data is being fetched from Microsoft domains, and probably looks like it is used by Windows update. Let's unselect this user-agent and see what we are left with:
We can see that by using the !(http.user_agent == "Microsoft-Delivery-Optimization/10.0") && http.request.full_uri && !ssdp filter, we are left with only a few packets. Let's investigate the packets as follows:
We can see that a GET request containing our machine name and some string is sent to a domain. Could this be the password? We'll have to check. Let's download the decrypter from https://github.com/goliate/hidden-tear:
Insert the password that we got from the PCAP analysis as follows:
As soon as we hit the Decrypt My Files button, we see that the locked files are unlocked again:
We can now see that the files were decrypted successfully.