creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-11 21:54:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
c60cb4aa7b06faca439e4335b4eb9727570072db
Anthropic-Cybersecurity-Skills/skills/reverse-engineering-ransomware-encryption-routine/references/api-reference.md
T
mukul975 c21af3347e Complete folder anatomy for all 649 cybersecurity skills + update LICENSE to Mahipal 
- Add scripts/agent.py and references/api-reference.md to all remaining skills
- Update all 648 LICENSE files: copyright now reads 'Mahipal'
- Add implementing-security-monitoring-with-datadog (new skill with full anatomy)
- All 649 skills now have: SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
2026-03-11 00:22:12 +01:00

53 lines
1.9 KiB
Markdown
Raw Blame History

# API Reference: Reverse Engineering Ransomware Encryption
## Cryptographic Algorithm Constants
| Algorithm | Signature | Description |
|-----------|-----------|-------------|
| AES | S-Box starting `0x63 0x7C 0x77` | AES Rijndael substitution box |
| RSA | DER `0x30 0x82` prefix | ASN.1 RSA key structure |
| ChaCha20/Salsa20 | `expand 32-byte k` | Stream cipher constant |
| RC4 | Sequential 0-255 state | Key scheduling algorithm init |
## Encryption Analysis Techniques
| Technique | Tool | Purpose |
|-----------|------|---------|
| Entropy analysis | `ent`, Python | Detect encrypted regions |
| Constant scanning | IDA/Ghidra YARA | Find crypto implementations |
| API tracing | x64dbg, Frida | Trace CryptEncrypt/BCrypt calls |
| Key extraction | Volatility3 | Dump keys from memory |
## Ransomware Encryption Patterns
| Pattern | Indicator |
|---------|-----------|
| Full encryption | Entropy > 7.9 across entire file |
| Intermittent | High entropy blocks with gaps |
| Header-only | First N bytes encrypted, rest plain |
| Appended metadata | File larger than original (key/IV at end) |
## Common Ransomware Crypto
| Family | Algorithm | Key Mgmt |
|--------|-----------|----------|
| LockBit 3.0 | AES-256-CBC + RSA-2048 | Per-file AES key, RSA-encrypted |
| BlackCat/ALPHV | ChaCha20 + RSA-4096 | Rust implementation |
| Royal | AES-256-CBC + RSA-2048 | Intermittent encryption |
| Akira | ChaCha20 | Partial file encryption |
## Python Libraries
| Library | Version | Purpose |
|---------|---------|---------|
| `hashlib` | stdlib | SHA256 hashing |
| `struct` | stdlib | Binary data parsing |
| `re` | stdlib | Pattern extraction |
| `math` | stdlib | Shannon entropy calculation |
## References
- ID Ransomware: https://id-ransomware.malwarehunterteam.com/
- NoMoreRansom Decryptors: https://www.nomoreransom.org/en/decryption-tools.html
- Ghidra: https://ghidra-sre.org/
Reference in New Issue View Git Blame Copy Permalink