This section provides an in-depth exploration of ransomware analysis, focusing on the DarkSide ransomware.
Through hands-on exercises, students delve into the techniques used by ransomware developers to obfuscate and encrypt malicious payloads. Lessons cover initial analysis, identifying packed or encrypted sections, and using tools like IDA Pro to unpack and analyze runtime code.

Key topics include dynamic API resolution, rebuilding the Import Address Table (IAT), and decrypting and parsing the resource sections. Students learn to track ransomware behavior, such as machine fingerprinting, privilege escalation, and encryption routines, while also exploring methods for taking memory snapshots and reconstructing decrypted code for static analysis. This section equips learners with practical skills to dissect and understand the tactics, techniques, and procedures (TTPs) of ransomware.