Hello, welcome to the Tuesday, June 9th, 2020 edition of the Sansanet Storm Center's Stormcast.

My name is Johannes Ulrich.

And then I'm recording from Jacksonville, Florida.

Base 64 is certainly still a very popular encoding format.

And in today's diary, the DA shows how to to use his translate.p.y script to translate

parts of a particular file that happen to be base 64 encoded and doing so with essentially

a quick regal expression and a lambda function that does the actual conversion.

A lot of other scripts will translate the entire file, but particularly with Malavir, you may end up

with files that only have certain base 64 strings contained within them, and this allows you to just expand those particular

strings. And remember a few years ago, fake anti-mailware was sort of a big thing or fake

antivirus. Lots of websites out there were peddling what they claimed to be anti-virus anti-malware that

then turned out to be malware after the user installed it.

And I actually think some of the early ransomware use this trick as well.

Probably still happening but don't really see it happening that much anymore. Instead, according to a pleading computer,

looks like the ransomware gangs now sort of have found their own version of this scheme.

On this podcast, I've mentioned before when we had decryption software that people came up with

for certain ransomware families.

And of course, that's always a good thing, then you don't have to pay the ransom anymore.

Now, one reasonably somewhat popular piece of ransomware, the stop or deja vu, ransomware,

has had cryptors for some of the versions of this ransomware, but not for all of them.

It looks like some bad guys now picked this particular ransomware to advertise fake decryptors.

Now, these fake decryptors apparently will just encrypt your files once more.

...