I’m coming here after having my post removed from /r/Malware, because technical support/virus removal questions aren’t allowed there 🤔.
So basically I set up an RDP honeypot so that hackers can connect to it. Today one guy connected, but he forgot to disable drive sharing. I was able to remotely browse his files and I managed to retrieve a few. They all seem to be related to CryLock ransomware, but one of them was a GUI application with quite a few options, maybe also able to decrypt files? Who knows.
My question is – **where can I send these files for experts to analyze them?** If these executables contain private keys then this could be a way to save a lot of people.
Here’s a screenshot of that GUI application (I wonder why so many hackers use old Delphi): [https://imgur.com/U8nC23A](https://imgur.com/U8nC23A)
You can see the app encrypting files here: [https://app.any.run/tasks/d447751c-c921-4db2-9fba-718f87f21cc4/](https://app.any.run/tasks/d447751c-c921-4db2-9fba-718f87f21cc4/)
That’s the message you see after the files have been encrypted: [https://imgur.com/zRt1a3V](https://imgur.com/zRt1a3V)
I decided to email them and got the following response. Looking at that Bitcoin address history, it seems they made quite a lot of money: [https://imgur.com/VpstRGK](https://imgur.com/VpstRGK)