Part 4/5:
The disassembly and decompilation of the "encrypt" binary using Ghidra provide further insights. The binary initializes the OpenSSL library, reads in a public key, and creates an RSA object. It then generates a symmetric stream key, encrypts the symmetric key using the RSA public key, and proceeds to encrypt the target file using the symmetric key.
The Decryption Binary
The malware authors also provide a "decrypt" binary, which is likely given to the victims. This binary follows the reverse process of the "encrypt" binary. It takes the private key as input, extracts the encrypted symmetric key from the file, decrypts it using the RSA private key, and then uses the decrypted symmetric key to decrypt the target file.