As we already know how Ryuk generally encrypts it's target files:

Each Ryuk executable has a embbed RSA1 key, that is used to encrypt generated AES256 keys (that are actually used to encrypt the files), in the target file. This AES key is found after "HERMES" pattern.

You can see more about it in the src/decrypt folder

What we need to accomplish:

• Archetype of Ryuk's Encryption routine
• Understanding CryptAcquireContext calls and it's parameters;
• Implement first versions of detection of the encrypted AES256 keys in bytes in the files.
• Acquire the right Encryption context: Ryuk uses different encryption context to import e export it's keys, acquiring the right one will turn it more easy to decrypt files;
• Getting more RSA1 Ryuk keys: As much different keys we obtain, more robust the solution will get;
• Ensure the right use of the Wincrypt API, to routine properly work;
• After right import of both RSA1 and AES256 keys, decrypt the content of the file
• Write the content back in the file
• Integrate the Decrypt Executable in Atreus main exe
• Iterate over directories in the machine for automatic decryption
• Dissection of Ryuk executables looking for RSA1 key