--[ Ransomware, Exorcising Alastor

Abstract

Are you brave enough to try and fight back against a live ransomware infection in a Windows network? You will be pitted against our latest malware sample Alastor in a live environment and charged with trying to stop the infection from spreading and trying to recover the critical files that have been lost.

Participants will be asked to assume the role of a forensic investigator or malware analyst and placed in a live virtual Windows 10 environment. The Alastor infection will launch without warning and participants will be divided into two groups:

Forensic Investigators

The forensic investigator must be able to examine a live system that has been infected or where an infection just took place. They should use forensic techniques to attempt to identify the malware that caused the infection. The forensic investigator should be able to examine network communications to identify any Internet connected assets the malware may communicate with during infection for command and control. The forensic investigator may be required to examine C2 servers to identify vulnerabilities that could be leveraged to gain access and identify decryption details. The forensic investigator should be able to develop indicators of compromise for an active infection and hopefully develop mitigations to prevent any further infection such as firewall restrictions or Windows Defender security policy changes.

Malware Analysts

The malware analyst should be able to examine a Windows binary without uploading to VirusTotal or any Internet connected virus scanner or sandboxing site(s). They should be able to identify embedded strings, instructions, configuration files and ideally identify embedded code. The malware analyst should be able to identify indicators of compromise and write pattern matching rules or signatures that they can share with future investigators or examine other systems for potential infections.

These groups need to work together to attempt to stop active infections and prevent spread of Alastor to new hosts within the environment. They will need to study the infected hosts, the network communications and the actual malware samples themselves if they can identify them. We will provide guiding hints to help move the story along but may also inhibit the investigation if we find skilled participants are going to rush to a solution alone without helping their team solve the problem.