Recon 2024

Gijs Rijnders

Gijs is a cyber threat intelligence analyst and malware reverse engineer at the Dutch National Police where he defends the Police organization from cyber attacks. He previously worked at the CERT of Tesorion, a Dutch cyber security company where he reverse engineered various ransomware families and published decryption tools to the NoMoreRansom initiative to help victims recover from attacks.

The speaker's profile picture

Sessions

06-30
09:30
30min
Cryptography is hard: Breaking the DoNex ransomware
Gijs Rijnders

In recent years, ransomware has been one of the most prolific forms of cybercrime with financial gain as primary motive. The problem keeps getting bigger with a new operation seeing the light almost every month. While reverse engineering ransomware is fun, it also serves a greater purpose: can we find a vulnerability that allows us to decrypt a victim’s files without interacting with the criminals?

Enter the DoNex ransomware, a new operation that has entered the scene very recently. They have a leak website on the dark web where some victims have been named and shamed. Reverse engineering of a DoNex sample revealed a vulnerability that allowed us to decrypt every encrypted file for victims under a trivial condition. To help victims recover from a ransomware attack, we published a decryption tool on the NoMoreRansom platform, an initiative from a number of parties including the Dutch National Police to keep ransomware operators from extorting victims.

In this talk, we will dive into the technical details of DoNex and how we exploited a vulnerability to decrypt files affected by DoNex without the need to negotiate with the cybercriminals.

Presentation Software
Grand Salon