March 25, 2021

I stole some ransomware (CryLock) related executables from a hacker. What can I do with them?


I’m coming here after having my post removed from /r/Malware, because technical support/virus removal questions aren’t allowed there 🤔.

So basically I set up an RDP honeypot so that hackers can connect to it. Today one guy connected, but he forgot to disable drive sharing. I was able to remotely browse his files and I managed to retrieve a few. They all seem to be related to CryLock ransomware, but one of them was a GUI application with quite a few options, maybe also able to decrypt files? Who knows.

My question is – **where can I send these files for experts to analyze them?** If these executables contain private keys then this could be a way to save a lot of people.

Here’s a screenshot of that GUI application (I wonder why so many hackers use old Delphi): [https://imgur.com/U8nC23A](https://imgur.com/U8nC23A)

You can see the app encrypting files here: [https://app.any.run/tasks/d447751c-c921-4db2-9fba-718f87f21cc4/](https://app.any.run/tasks/d447751c-c921-4db2-9fba-718f87f21cc4/)

That’s the message you see after the files have been encrypted: [https://imgur.com/zRt1a3V](https://imgur.com/zRt1a3V)

I decided to email them and got the following response. Looking at that Bitcoin address history, it seems they made quite a lot of money: [https://imgur.com/VpstRGK](https://imgur.com/VpstRGK)

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.