Authors Vess
7 days
30 days
All time
Recent
Popular
I kinda disagree with this.
Not disagree as in "He's wrong, this is complete bollocks" but as in "He's right about some things, wrong bout others, missing yet others and the things are much more nuanced and discretion must be applied".
I was asked to elaborate, so here it is.
The whole article is based on the premise "ransomware contains data that's private for you, once you upload it, everyone can get it from VirusTotal". This is wrong and incomplete in several ways.
To begin with, by far not all ransomware is hand-crafted for the victim and even when it is, by far not all of it contains personal information.
Furthermore, the author is confusing the ransomware executable (which is what you normally upload to VirusTotal, so that the scanners there can tell you what it is) with the ransom note. The note contains victim-specific data much more often than the executable.
Next, VirusTotal, while hugely popular, is not the only such service. I very much like id-ransomware for ransomware identification - and you never upload the executable there anyway; only encrypted files (and ransom note, if available; often it's not).
Not disagree as in "He's wrong, this is complete bollocks" but as in "He's right about some things, wrong bout others, missing yet others and the things are much more nuanced and discretion must be applied".
Never upload #ransomware samples to the Internet. Let me explain what information such a sample contains, why you shouldn't upload them, and what happens if you upload them after all. #SysAdmin #DFIR #malwarehttps://t.co/M4S3ET5Eqc
— Thomas Barabosch (@tbarabosch) December 28, 2020
I was asked to elaborate, so here it is.
The whole article is based on the premise "ransomware contains data that's private for you, once you upload it, everyone can get it from VirusTotal". This is wrong and incomplete in several ways.
To begin with, by far not all ransomware is hand-crafted for the victim and even when it is, by far not all of it contains personal information.
Furthermore, the author is confusing the ransomware executable (which is what you normally upload to VirusTotal, so that the scanners there can tell you what it is) with the ransom note. The note contains victim-specific data much more often than the executable.
Next, VirusTotal, while hugely popular, is not the only such service. I very much like id-ransomware for ransomware identification - and you never upload the executable there anyway; only encrypted files (and ransom note, if available; often it's not).