Every 11 seconds
a ransomware attack struck an organization in 2023, according to Cybersecurity Ventures
50 MB/s+
partial-encryption throughput achieved by speed-optimized strains like LockBit 3.0, encrypting only the first 4 KB of each file to maximize speed
56%
of organizations that paid a ransom in 2023 still could not recover all encrypted data, per Veeam's Ransomware Trends Report

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

Ransomware reverse engineering sits at the intersection of malware analysis and incident response. The goal is not just to understand how the malware works in the abstract, but to extract operationally actionable data: Is the encryption key stored in memory long enough to recover? Which C2 domain is the sample beaconing to? What mutex name can a detection rule target? What code patterns distinguish this sample from commodity ransomware and suggest a specific threat actor? This guide covers the end-to-end workflow that incident responders and malware analysts use to answer those questions quickly, starting from the moment a suspicious binary arrives in your analysis queue.

Initial Triage with Detect-It-Easy

Before loading a sample into a disassembler, spend five minutes with Detect-It-Easy (DIE). DIE identifies the compiler, packer, and file format of a binary without executing it, which tells you how much effort the threat actor invested in evasion and what analysis approach to take. A sample compiled with MSVC and no packer is ready for immediate analysis in Ghidra. A sample showing UPX packing should be unpacked first using upx -d sample.exe before static analysis, or allowed to unpack itself in a debugger. A sample flagged as a custom packer or with high entropy across the entire PE section map suggests a custom obfuscation layer that will require dynamic analysis to resolve. DIE also extracts embedded strings, import tables, and version resource data. Import tables are particularly valuable at this stage: ransomware that imports CryptAcquireContext, CryptEncrypt, and CryptGenRandom from the Windows CryptoAPI is almost certainly using built-in Windows cryptographic primitives, which simplifies your search for key material. Ransomware that imports no cryptographic functions but shows calls to unusual networking libraries may be staging its encryption payload from a remote source. Record everything DIE reveals before moving to deeper analysis, because those initial observations shape every subsequent step.

Static Analysis with Ghidra and IDA Free

Static analysis means examining the disassembled or decompiled code without running the binary. Ghidra (free, NSA-developed) and IDA Free (limited freeware version of IDA Pro) are the two most accessible tools for this stage. Load the sample into Ghidra, let auto-analysis complete, and start your triage from the entry point and the string list. Ransomware samples almost always contain hard-coded strings that reveal operational intent: ransom note templates, C2 hostnames or IP addresses, mutex names, registry key paths for persistence, and file extension lists used to target specific file types. Search for these strings early. From the entry point, trace execution flow to the main encryption loop. In most ransomware families, this loop iterates over files on local drives and network shares, opens each file, reads chunks into a buffer, encrypts the buffer, and writes it back. The encryption call is usually a wrapper around a symmetric cipher: AES-256 in CBC or CTR mode for most modern strains, with the AES key itself protected by an asymmetric scheme (RSA or elliptic curve) so that decryption requires the threat actor's private key. Identify the function that generates or receives the per-session AES key. This is the most critical artifact for potential decryption key recovery. Note the function address and any constants used in the key derivation routine. Ghidra's decompiler view makes this substantially faster than reading raw assembly: look for calls to BCryptGenerateSymmetricKey, CryptImportKey, or custom key expansion routines that expand a short seed into a full 256-bit key.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Identifying Ransomware Families by Code Patterns

Different ransomware families have distinctive engineering choices that persist across samples and make attribution possible from code alone. LockBit 3.0 is known for its speed-optimized partial encryption approach: rather than encrypting entire files, it encrypts only the first 4 KB (or a configurable initial chunk), which allows it to process thousands of files per minute on modern hardware while making files unrecoverable without the key. If you see a read-encrypt-write loop that consistently targets a fixed small offset at the start of each file, LockBit 3.0 or a derivative is likely. Conti uses a thread-pool model with 32 to 64 concurrent encryption threads, maximizing CPU utilization across all cores. In Ghidra, a Conti sample's encryption dispatcher is recognizable by the creation of a large number of threads early in execution and a work queue that distributes file handles across those threads. BlackCat (ALPHV) is compiled in Rust, which produces distinctive calling conventions and data structures compared to C or C++ ransomware. The absence of familiar MSVC runtime library patterns and the presence of Rust's standard library mangled symbols are a reliable indicator. Identifying the family narrows your search for published decryptors: law enforcement operations against HIVE, REvil, and BlackMatter have released master private keys that allow full decryption of affected files, but only if you can confirm the family match.

Dynamic Analysis with x64dbg in a Flare-VM or REMnux Sandbox

Dynamic analysis means running the sample in a controlled environment and observing its behavior in real time. Never execute ransomware on a production machine or a VM connected to any network share you value. Use Flare-VM (a Windows-based malware analysis distribution built on top of Windows 10, deployable via a PowerShell script from the Mandiant GitHub repository) or REMnux (a Linux distribution with a curated set of analysis tools) as your isolated detonation environment. Flare-VM is the better choice for Windows ransomware because it provides a native execution environment with all analysis tools pre-installed. Before detonating, snapshot the VM so you can restore to a clean state after analysis. In x64dbg, set breakpoints on the cryptographic API calls you identified during static analysis: BCryptEncrypt, CryptEncrypt, and BCryptGenerateSymmetricKey are the highest-value targets. When execution hits those breakpoints, examine the register values and stack frames to locate the encryption key material in memory. For AES-CBC implementations, the key and initialization vector (IV) are passed as arguments to the encrypt function and will be present in registers or on the stack at the moment of the call. Capture those values. If the per-file AES key is derived from a master session key, set an earlier breakpoint at the key derivation function to capture the session key before it is used to generate per-file keys. Also monitor file system and registry activity using Process Monitor (included in Flare-VM) during detonation to capture the full set of persistence mechanisms, dropped files, and ransom note paths.

Extracting Decryption Keys from Memory Mid-Encryption

If ransomware is caught actively encrypting files, you may have a narrow window to recover the encryption key from process memory before it is overwritten or the process exits. This is one of the highest-value interventions available during a live incident. The approach is to capture a full process memory dump of the ransomware process using Task Manager (right-click the process, select Create dump file) or a tool like ProcDump (procdump -ma <pid> memdump.dmp). Once you have the dump, load it into a memory analysis framework such as Volatility or simply search the raw binary for the key material pattern. For AES-256, you are looking for 32 consecutive bytes that match the entropy and structure of an AES key, often preceded or followed by the IV. Tools like findaes (a standalone AES key finder) scan a memory dump for byte patterns consistent with AES key schedule expansion, making this search tractable even without knowing the exact memory address. The success rate of this approach depends on how much of the encryption has already completed: if the ransomware generates a new key per file and immediately discards the previous key, memory recovery may only cover files being actively encrypted at the moment of capture. If the ransomware uses a single session key for all files in a run, a single successful recovery decrypts all affected files.

Extracting C2 Beacon Logic and Key Negotiation

Modern ransomware variants rarely operate as standalone encryptors. Most include a C2 beaconing component that registers the victim with the threat actor's infrastructure, sends a unique victim ID, and either receives the encryption key from the server or sends the locally generated public key to the server for safekeeping. Understanding this flow is critical for two reasons: it may reveal the key exchange mechanism and identify whether the encryption key was ever transmitted in a form that can be recovered from network captures, and it provides the C2 indicators of compromise (IOCs) needed to block the threat actor's infrastructure and detect lateral movement. In Ghidra, look for network API imports: WinHttpOpen, InternetOpenUrl, WSAConnect, or direct socket calls. Trace the code path from those imports back to the data that is serialized and transmitted. Ransomware C2 beacons typically send a JSON or custom binary payload containing the victim ID (often a hash of the machine hostname or MAC address), the victim's generated public key, and system metadata. The response from the C2 server typically contains either the attacker's public key (for hybrid encryption schemes) or a confirmation token. If you capture this exchange in a network dump during dynamic analysis, the public key material may help identify the encryption scheme even if the private key is not recoverable.

Developing YARA Rules from Reverse Engineered Samples

YARA rules translate the unique code patterns and strings you have extracted from reverse engineering into a format that detection engines and threat hunting platforms can use. A well-constructed YARA rule based on a reverse engineered sample will detect not just the exact binary you analyzed but future variants from the same threat actor, because it targets code patterns that are more stable than file hashes. Start with strings: the ransom note template, the C2 hostname, the mutex name, and any hard-coded encryption constants are all candidates. Strings that are unique to the threat actor and unlikely to appear in legitimate software are the highest-value targets. For code patterns, use Ghidra to identify byte sequences that correspond to the unique logic in the encryption loop or key derivation routine, then extract those as hex byte patterns for the YARA rule condition. Apply wildcards (??) to bytes that correspond to addresses or offsets that change between compiled versions of the same codebase, while keeping the surrounding opcode bytes fixed. A practical rule structure includes three to five string conditions combined with a condition that requires at least two or three of them to match, reducing false positive risk while maintaining sensitivity. Test your rules against a clean corpus using yara rule.yar /path/to/corpus before deploying them to your detection stack. Submit finalized rules to public repositories such as YARA-Rules on GitHub and share with your threat intel sharing communities to accelerate detection across the broader defender ecosystem.

The bottom line

Ransomware reverse engineering is a perishable skill that atrophies without practice. The window for recovering encryption keys from memory is measured in minutes during a live incident, not hours. SOC analysts and IR teams that have practiced the Flare-VM workflow, know where to set breakpoints for AES key capture, and have a YARA rule library ready for deployment will consistently outperform teams that approach each incident cold. Build a practice lab with historic ransomware samples from repositories like MalwareBazaar, work through the static-to-dynamic workflow on samples from known families, and maintain a playbook that maps each major ransomware family to its distinguishing code patterns, its encryption scheme, and any available decryptors. The analysis skills you build on yesterday's samples are directly applicable to the variant that hits your environment tomorrow.

Frequently asked questions

Can you recover files from ransomware without paying?

In some cases, yes. Recovery without paying is possible when: a decryptor has been publicly released by law enforcement or security researchers (as happened with HIVE, REvil, and BlackMatter); the ransomware used a flawed encryption implementation that allows key recovery from ciphertext; the encryption key can be extracted from process memory if the ransomware is caught mid-execution; or the victim has offline or immutable backups that predate the infection. Reverse engineering the sample is the fastest way to determine which of these paths apply to a given incident.

What tools do malware analysts use for ransomware reverse engineering?

The core toolkit includes Detect-It-Easy for initial triage and packer identification, Ghidra or IDA Free for static disassembly and decompilation, x64dbg for dynamic debugging and runtime key extraction, Process Monitor for file and registry activity monitoring during detonation, and YARA for rule development. Flare-VM provides a pre-built Windows analysis environment with all these tools installed, while REMnux serves the same purpose on Linux. Volatility is used for memory forensics when capturing key material from live or dumped process memory.

How do you identify which ransomware family infected a system?

Family identification uses several converging signals: the ransom note content and format (each family uses a distinctive template), the file extension appended to encrypted files, code patterns visible in the binary such as LockBit's partial encryption approach or Conti's thread-pool model, compilation artifacts such as PDB paths or MSVC versus Rust toolchains, and C2 infrastructure IOCs. Uploading a sample hash to VirusTotal or the MalwareBazaar database often returns an immediate family attribution if the variant has been previously analyzed.

What is partial file encryption in ransomware?

Partial file encryption is a technique where ransomware encrypts only a portion of each file, typically the first few kilobytes or a fixed chunk at the beginning, rather than encrypting the entire file. LockBit 3.0 popularized this approach because it allows the malware to process thousands of files per minute while still rendering them unrecoverable without the key. The tradeoff is that forensic analysis of encrypted files may reveal the unencrypted remainder, which can help with family attribution even after encryption has completed.

How do YARA rules help with ransomware detection?

YARA rules describe patterns in files or memory that uniquely identify a malware family or threat actor. For ransomware, rules are typically built from hard-coded strings such as mutex names, ransom note templates, and C2 hostnames, combined with binary patterns that correspond to the unique logic in the encryption or key negotiation code. Because these patterns are more stable than file hashes across variants, a YARA rule derived from reverse engineering one sample will often detect subsequent variants from the same threat actor that have been recompiled to change their hash.

How do you safely detonate and analyze a ransomware sample without risking your analysis environment or adjacent systems?

Safe ransomware detonation requires complete network isolation from the production environment. Use a dedicated analysis VM on an isolated VLAN or a cloud-based malware analysis sandbox (Any.run, Triage, or Cuckoo on a dedicated host). Before detonation: take a clean VM snapshot, disable shared folders and clipboard between host and guest, remove network connectivity or route all traffic through a sinkhole/monitoring proxy, and enable Sysmon on the guest for full process and network telemetry. For static analysis before detonation: run 'strings' and 'floss' to extract readable strings (mutex names, ransom note text, C2 domain fragments), use 'CAPA' to identify capabilities automatically (encryption API usage, file enumeration patterns), and check the PE header for compilation timestamps and linker artifacts. Never detonate on hardware that has access to production file shares, Active Directory, or backup infrastructure -- ransomware actively enumerates network shares and some variants specifically target backup systems and shadow copies within the first seconds of execution.

Sources & references

  1. CISA Ransomware Guide
  2. Ghidra Open Source Reverse Engineering Tool
  3. FLARE-VM: A Malware Analysis Environment
  4. REMnux Linux Distribution for Malware Analysts
  5. YARA Documentation
  6. Veeam 2024 Ransomware Trends Report

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.