This is a reserve paper. Should it not be required to replace a paper on the main programme, it will be presented in the Small Talks room on Friday 16 October.
Hyuna Lee & Hyoje Jo (SK Shieldus)
ArgonWiper represents an emerging class of hybrid threats that blur the boundary between ransomware and destructive wipers. Rather than simply encrypting files in place, it selectively deletes targeted data while compressing remaining files into encrypted backup archives, combining destruction, extortion, and operational disruption within a single attack workflow. This design departs from conventional ransomware models and creates a more complex recovery problem for defenders.
In this research, we uncover a practical weakness in ArgonWiper's backup-encryption design that enables reliable recovery of encrypted backup archives for known sample families. By reverse engineering its archive creation and encryption workflow, we show that the backup format repeatedly exposes recoverable key-generation material and IV-related values. These artifacts, together with hard-coded secrets embedded in the malware and Argon2-based key derivation, make reconstruction of encryption keys possible. We further demonstrate that a flawed AES-GCM implementation allows successful decryption when tag verification is bypassed, turning what appears to be irreversible impact into a realistic recovery opportunity for defenders.
Beyond the cryptographic weakness, we reconstruct the broader attack chain used in real-world campaigns. Our analysis shows that the operator assembles a low-cost, high-efficiency intrusion workflow by combining publicly available offensive tooling and lightweight custom malware. The campaign leverages Sliver, Tokenvator, SharpInjector, Donut, and POSTDump, alongside PowerShell and other living-off-the-land utilities, to support delivery, privilege escalation, injection, command-and-control, credential access, and final impact. This toolchain-driven model illustrates how modern actors can industrialize destructive operations by reusing open-source ecosystems rather than investing in fully proprietary development.
Our analysis shows that ArgonWiper introduces recovery challenges that differ from those typically associated with conventional ransomware. Rather than leaving encrypted files on the system, it creates encrypted tar and Zstandard-based backup archives and then deletes the original data. As a result, conventional file-recovery strategies are less directly applicable, while limited recoverability remains embedded within the attacker's workflow. This limitation arises from a flaw in the attacker's chosen strategy, with recovery restricted to the backed-up archive files only.
Attendees will gain a detailed understanding of ransomware-wiper convergence, including ArgonWiper's encryption and backup design, the attacker's tooling and operational choices, and the full end-to-end workflow observed in the campaign. In addition, we present practical hunting and triage opportunities, backup-file indicators, and a decryption tool developed from our reverse engineering, along with a recovery workflow that enables decryption of encrypted backup archives for known sample families, helping reduce real-world victim impact during incident response.
 |
Hyuna Lee Hyuna Lee is a threat intelligence researcher at the Ransomware Response Center of SK Shieldus, where she conducts in-depth analysis and tracking of cyber threats, including ransomware. With a strong foundation in malware analysis, she interprets adversary behaviours and specializes in adversary infrastructure tracking and threat hunting. Her work focuses on analysing real-world attack campaigns and uncovering threat actor activities. She also expands threat intelligence through research on deep and dark web ecosystems. She focuses on correlating fragmented indicators into actionable threat intelligence by connecting adversary infrastructure and activity.
|
 |
Hyoje Jo Hyoje Jo is a senior researcher at SK Shieldus with over 12 years of experience in malware analysis and threat intelligence. He focuses on tracking state-sponsored threat actors and ransomware activity. He has delivered talks at major security conferences in Korea and remains actively engaged in advanced malware research. |
Back to VB2026 conference page
Register your interest for VB2026
