We have extracted the memory dump from the compromised machine. Find the evidence of the ransomware attack.
https://app.letsdefend.io/challenge/revil-ransomware
first we unzip the challenge file and see we are given 3 files: png / ransom note / memory dump
This is a screenshot of the system after it was hit by ransomware. We can see that the screen instructs the user to read the file named 993ixjlb-readme.txt. The image is titled "bad day", which might be a clue for the challenge or possibly the name of the ransomware.
From the ransom note, we can gather a lot of useful information. For example, the presence of a Tor address for communication can help us identify the ransomware family. One helpful resource is a website called ID Ransomware, where you can upload the ransom note, a sample of an encrypted file, or payment addresses. It will then try to identify the specific ransomware variant. Knowing the name of the ransomware can assist in further investigation, threat intelligence correlation, and possibly finding available decryption tools or known indicators of compromise. https://id-ransomware.malwarehunterteam.com/index.php
From ID Ransomware, we confirmed it's REvil ransomware as if we didn’t already know that from the challenge name
To view the user and operating system information, you can find it in the first section labeled "System Information"