# Rans0mYard

**Difficulty:** Hard\
**By:** @W4L33Dx\
**Category:** Forensics\
**Description**:\
Can you help me, I was writing something, and by mistake, I opened ransomware. I want to get my files back please.

The challenge download gave me a single file `RansomYard.ad1`. I found out through a quick search that I can open .ad1 files using FTK Imager.

<figure><img src="/files/wMOwwbCMKKOBTH67qcUx" alt=""><figcaption><p>Fig 1: FTK Imager</p></figcaption></figure>

I analyzed the image to find any suspicious behavior. I discovered that all files were encrypted using some form of encryption.

<figure><img src="/files/XOjZXU1zBY06pfXILjOR" alt=""><figcaption><p>Fig 2: Encrypted files</p></figcaption></figure>

I couldn't locate the ransomware initially, but then I realized, 'What if **Windows Defender** quarantined it?.\
And I encountered this excellent write-up about Windows Defender Quarantine at [this link](https://blog.ry4n.org/hackthebox-ctf-confinement-write-up-a4e3b0429e30#2a9e).\
\
I found `RansomYard.exe`. Using `Detect it easy` showed that it was a .NET compiled binary.

<figure><img src="/files/Aq4LxKuK5iRPQFWFhEJc" alt=""><figcaption><p>Fig 3: DIE output</p></figcaption></figure>

I opened the `RansomYard.exe` using [**`IlSpy`**](https://github.com/icsharpcode/ILSpy).

<figure><img src="/files/hi271RxNQy81izTLiBsA" alt=""><figcaption><p>Fig 4: IlSpy</p></figcaption></figure>

Check `RansomYard.cs` and `RansomYard_patched.cs`

{% file src="/files/3hA4UhFfFL72h05UxKxb" %}
Decompiled **`RansomYard.exe`**
{% endfile %}

{% file src="/files/Qipm5iHAUnq8mALNheVY" %}
`Pathced`**`RansomYard.exe`**
{% endfile %}

After decrypting all files, we encountered a curious password-protected file named `shop.zip`.

<figure><img src="/files/zINoqkwq0VF4LAhRe2Hq" alt=""><figcaption><p>Fig 5: shop.zip</p></figcaption></figure>

**Using** [**`john`**](https://github.com/openwall/john)**.**

<figure><img src="/files/XiHMxATloUtDcBwgEnlN" alt=""><figcaption><p>Fig 6: john</p></figcaption></figure>

While it was cracking, I revisited the description and realized that the victim was writing something when the ransomware attacked!

I searched for a bit and found [`this`](https://medium.com/@mahmoudsoheem/new-digital-forensics-artifact-from-windows-notepad-527645906b7b)

<figure><img src="/files/cpJdiWP4A8SguBfPyf3K" alt=""><figcaption><p>Fig 7: Victim writing</p></figcaption></figure>

Great, we can read it, but let's make it easier to understand.

<figure><img src="/files/ttkAufXtzHWYzCxoaeIk" alt=""><figcaption><p>Fig 8: Victim information</p></figcaption></figure>

The moment I read it, [CUPP](https://github.com/Mebus/cupp) instantly came to mind.

<figure><img src="/files/CTtXWAFVEU324t1Nv761" alt=""><figcaption><p>Fig 9: CUPP</p></figcaption></figure>

Nice!, we cracked the password :D

<figure><img src="/files/y7XGlfJPF5PwPUHmAmF3" alt=""><figcaption><p>Fig 10: Cracked</p></figcaption></figure>

Let's proceed to read the contents of `important.txt` and thankfully it was the flag YAY!

**FlagY{Y0u\_D3t3c7\_MY\_R4ns0m\_Am4z1ng!!!}**


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://iq0.gitbook.io/iq0/b/rans0myard.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.