Sigreturn Labs Contact
All services Service 02

Reverse Engineering.

We take malware apart, from A to Z, and tell you exactly what it is and what it does, scoped to what you actually need, whether that is detection, attribution, or recovery. With a dedicated ransomware practice that goes one step further: attempting to break the encryption and get your data back.

Capabilities

Take it apart. Understand it fully.

Two practices: general malware analysis, and a ransomware specialty.

Malware reverse engineering

Complete reverse engineering of a sample, end to end, from a fast triage to a full teardown. We adapt the depth to your goal: detection, threat intelligence, or incident support.

  • Behavioural and code-level understanding of the sample
  • Yara rule creation for detection and threat hunting
  • IOC and configuration extraction (C2, keys, campaign IDs)
  • Capability mapping: persistence, evasion, exfiltration
  • Family attribution and links to known campaigns

Ransomware specialty

A dedicated ransomware practice. Full analysis and family attribution, and, where the cryptography allows, an attempt to build a working decryptor and recover your data.

  • Full static and dynamic analysis of the ransomware
  • Family identification and attribution
  • Review of the encryption scheme for weaknesses
  • Cryptographic exploitation to attempt a decryptor
  • Honest feasibility assessment before any work begins
Method

How an engagement runs.

The same four steps, whether the goal is detection, attribution, or a decryptor.

01

Intake & scoping

We agree on the sample(s), the goal (detection, intel, or decryption) and any constraints.

02

Triage & setup

The sample is triaged and unpacked in an isolated, instrumented analysis lab.

03

Deep analysis

Static and dynamic reverse engineering against the agreed goals, methodical and logged.

04

Reporting

Findings and artefacts (rules, IOCs, and a decryptor where achieved) written up in full.

Deliverable

One complete analysis report.

Everything we find, and how we found it, with the artefacts you can put straight to work.

  • Executive summary in plain language
  • Full, reproducible methodology
  • Behavioural and technical analysis of the sample
  • Extracted IOCs and configuration
  • Yara rules for detection and hunting
  • Capability matrix and family attribution
  • Decryptor and usage notes, where achieved
  • Technical appendix with the underlying detail
Scope

Decryption is attempted, never promised. It depends on a genuine weakness in the ransomware's cryptography. We assess feasibility up front and tell you honestly before any work starts. Reverse engineering here targets the malware itself. Recovering data from disks or investigating how an intrusion happened is the Forensics service.

Contact

Discuss an engagement.

Send us the sample or the case, and we will tell you what we can establish and what is realistic.

contact@sigreturn.com