Diyar Saadi

Security Operations Analyst

Spectroblock

Diyar Saadi is a computer security researcher, MITRE ATT&CK contributor, and CVE discoverer (CVE-2024-25400, CVE-2024-25399), sharing insights that help organizations strengthen defenses against evolving cyber threats.

Speaker sessions

Reverse Engineering Locker Ransomware

Locker ransomware is a form of malware that blocks user access to their device by locking the screen, demanding a ransom to restore control. Unlike crypto-ransomware, it doesn’t encrypt files. However, because it shares behavioral traits . such as demanding payment and preventing normal system usage . it's often classified as ransomware. This session dives deep into the reverse engineering process of locker ransomware, focusing on how it operates, hides, and locks access. We begin with basic static analysis: examining the PE header, identifying the compiler used, scanning for suspicious strings, and evaluating the import address table. Tools like PE Studio, DIE, BinText, and 4n4lDetector are introduced for initial analysis. For .NET-based locker samples, we explore dnSpy, ILSpy, and dotPeek to view and analyze decompiled code. We also cover native binaries using tools like IDA Pro, Ghidra, and Radare2. You'll learn how to identify packers by section names and unpack them using utilities like UPX and de4dot. The session also explains the unlocking chain: how the ransomware checks for a key (hardcoded or file-based), the process of validation, and unlocking. We'll inspect features like VM/sandbox detection, persistence through registry or Task Scheduler, and USB spread mechanisms. Techniques to disable Task Manager, Registry Editor, and recovery options are also reviewed.Finally, we emphasize string analysis to locate embedded keys, understand behavior, and trigger unlock conditions. Real-world code snippets and logic breakdowns are shared to demonstrate how to defeat and reverse engineer locker ransomware effectively.