Operation BlackLock

Forensics 400 pts standard

Challenge Description

Nexus Financial's SOC received reports that a workstation was suddenly encrypted by ransomware.

Several files became inaccessible, a ransom note appeared on the user's desktop, and suspicious activity was detected shortly before the incident.

You have been provided with the available forensic evidence recovered from the affected workstation. Investigate the incident, identify the attack chain, and recover the encryption key left behind by the ransomware.

Flag Format - HackCTF{key}

Author - prap

Files

↓ Operation_BlackLock.zip

Hints

        
          View Hint

The answer is not inside the encrypted documents, Investigators often recover secrets from memory.

        
          View Hint

Search for interesting strings inside the memory dump.

        
          View Hint

The recovered key is represented in hexadecimal format.

Operation BlackLock

Challenge Description

Files

Hints

Submit Flag