Loihde participated in this year's Disobey by creating a CTF challenge for the CTF competition at Disobey 2026. Four teams managed to solve the challenge named "Beta Test". You can find the walkthrough for the forensic challenge below.
The player is given a zip of forensic artifacts, evidence_package.zip, with the following challenge description:
"VIRtual GIN Inc has been hit by a ransomware and they've tasked you to investigate the case. Attached is the comprehensive forensic evidence package, acquired by the VIRtual GIN Inc IT team to the best of their ability. We need you to investigate the evidence and see if you can recover the files they encrypted."
evidence_package.zip contains the following artifacts:
Amcache.hve
Prefetch directory
Users\Public directory
Some of Users\Virtgin\ subdirectories:
Desktop
Documents
...
Files on user Virtgin's Desktop and Documents are encrypted with the .chad file extension appended. There's a ransom note README_NOW.txt on the Desktop from the CHAD Group. CHAD is not after money but rather they want the victim to prove they are "Alpha" enough to find the CHAD Group's negotiation portal/leak site.
The ransom note (Users\Virtgin\Desktop\README_NOW.txt) says:
################################################################################
# #
# --- CHAD GROUP --- #
# "WE LIFT, YOU LEAK" #
# #
################################################################################
LISTEN UP, VIRtual GIN Inc:
Your network security was a joke. We didn't even break a sweat.
We’ve encrypted your files and benched your servers.
Your data is currently sitting in our private gym, and it’s never looked better.
We aren't here for your money. We have plenty of "Gains" already.
We’re here to see if there’s a single Alpha left in your entire IT department that actually has the mental max to find our negotiation portal.
We’ve already deleted our heavy-lifting tools from your puny drives.
But real power leaves an imprint.
Even when the weights are put away, the "Scent of the Lift" remains in your system's history.
If you’re too "Beta" to track where our boots hit the floor, you’re too weak to negotiate.
We will release your data to every normie out there to laugh at if you can't take the bull by the horns and stop being a wimp.
Find our negotiation portal and prove us you have at least a tiniest bit of alpha in you.
You have until the end of our next set.
WE LIFT, YOU LEAK
-CHADThe evidence package contains two evidence of execution artifacts, Prefetch files and Amcache. The player needs to investigate the Amcache.hve artifact to spot anomalous executables present on the system recently.
Amcache.hve can be parsed and examined using a tool such as Eric Zimmerman's Registry Explorer (https://ericzimmerman.github.io/#!index.md).
From the most recent entries of Amcache's InventoryApplicationFile key, the player discovers the potential malware in c:\windows\temp\c\chadlock.exe.
One of the key advantages of Amcache is that it records the SHA1 file hash of the executables it discovers. The SHA1 hash of chadlock.exe is 954d81f5e270fb38ec05362aeb8f0362777a383f.
Acquiring the file hash of the suspected malware pivots the player to OSINT by looking up the file hash from VirusTotal. The file has been uploaded to VirusTotal: https://www.virustotal.com/gui/file/871b2cd3d9af3a17cf0c7b8d800fe7b72663ac7a49db7ef40a5b1e7a4789347c/details
The file's VirusTotal page has a comment from CHAD_Group in which they brag about stealing Virtual GIN Inc's data and threaten to release it to the public. The comment points player to visit the negotiation portal website http://chadgroup.dissi.fi:8080 with credentials: beta:AllYourFilesAreBelongToCHAD.
The site presents a basic authentication login form.
After entering credentials, the player is presented with CHAD Group's website.
The "Instructions for betas" hints that the player needs to find the file name of the master key (password) file that the ransomware binary used to encrypt the files. The file name needs to be given to the Chad Negotiator chat at the bottom of the page.
To find the master key file name, the player needs to parse and examine the Prefetch artifacts within the evidence package provided at the beginning of the challenge. There is a single Prefetch file for chadlock.exe: CHADLOCK.EXE-1BDBE4D9.pf. Prefetch files log which files were accessed by the executable in the first ~10 seconds when a program is executed.
Eric Zimmerman's PECmd.exe Prefetch parsing tool can be used to parse Prefetch files: PECmd.exe -f "<path-to-evidence>\Windows\Prefetch\CHADLOCK.EXE-1BDBE4D9.pf"
Number 18 in "Files referenced" is CHALKED_UP_MASTER_KEY.TXT.
Entering this to Chad Negotiator on the leak site results in Chad giving the decryption key used to encrypt the .chad files.
The decryption key is just a handshake emoji 🤝.
Displaying the contents of any of the encrypted files reveals a plaintext header telling that the file is encrypted using age-encryption.
$ cat FLAG.txt.chad
age-encryption.org/v1
-> scrypt YsTNvfNdmUmpK9VJjgtkzw 18
ftEUozH2Ul2C2ZsR3x51RhRJ+mdrDZqQ3Qk8p4w45mE
--- 3a/15e9FHyOTkeTVm6h8VtVHpMGFnU9fbmrGnDHJI3w
'��5��$\)#���P}\�
��_��mJ�e�ղ��!����A�d���>��CK��^w�^%�t
A quick online search of "age encryption" leads to the project's GitHub page: https://github.com/FiloSottile/age
"age is a simple, modern and secure file encryption tool, format, and Go library"
GitHub page's README offers quick installation commands to install the age CLI tool on different operating systems (Windows, Linux, macOS).
For example, on Ubuntu:apt install age
fter installation, we run the age CLI using the --decrypt option and giving the encrypted file as a positional argument. When it asks for a passphrase, enter a single handshake emoji: 🤝
$ age --decrypt FLAG.txt.chad
Enter passphrase:
DISOBEY[B1G_BR41N5_BIG_GA1NZZ]
That´s all folks! Thanks for participating and congratulations to the players who completed the challenge.
PS. Also check out our 2025 challenge here.