Anthropic-Cybersecurity-Skills/skills/reverse-engineering-ransomware-encryption-routine/references/api-reference.md

API Reference: Reverse Engineering Ransomware Encryption

Cryptographic Algorithm Constants

Algorithm	Signature	Description
AES	S-Box starting 0x63 0x7C 0x77	AES Rijndael substitution box
RSA	DER 0x30 0x82 prefix	ASN.1 RSA key structure
ChaCha20/Salsa20	expand 32-byte k	Stream cipher constant
RC4	Sequential 0-255 state	Key scheduling algorithm init

Encryption Analysis Techniques

Technique	Tool	Purpose
Entropy analysis	ent, Python	Detect encrypted regions
Constant scanning	IDA/Ghidra YARA	Find crypto implementations
API tracing	x64dbg, Frida	Trace CryptEncrypt/BCrypt calls
Key extraction	Volatility3	Dump keys from memory

Ransomware Encryption Patterns

Pattern	Indicator
Full encryption	Entropy > 7.9 across entire file
Intermittent	High entropy blocks with gaps
Header-only	First N bytes encrypted, rest plain
Appended metadata	File larger than original (key/IV at end)

Common Ransomware Crypto

Family	Algorithm	Key Mgmt
LockBit 3.0	AES-256-CBC + RSA-2048	Per-file AES key, RSA-encrypted
BlackCat/ALPHV	ChaCha20 + RSA-4096	Rust implementation
Royal	AES-256-CBC + RSA-2048	Intermittent encryption
Akira	ChaCha20	Partial file encryption

Python Libraries

Library	Version	Purpose
hashlib	stdlib	SHA256 hashing
struct	stdlib	Binary data parsing
re	stdlib	Pattern extraction
math	stdlib	Shannon entropy calculation

References

• ID Ransomware: https://id-ransomware.malwarehunterteam.com/
• NoMoreRansom Decryptors: https://www.nomoreransom.org/en/decryption-tools.html
• Ghidra: https://ghidra-sre.org/