Rhysida Ransomware has just experienced its Enigma moment as Korean researchers from Kookmin University shared a method to decrypt files affected by this infamous malware strain.
Researchers, supported by the Korea Internet & Security Agency (KISA), leveraged Rhysida’s vulnerabilities to reconstruct the encryption key and restore the encrypted system “despite the prevailing belief that ransomware renders data irretrievable without paying the ransom.”
According to a paper on the subject, Rhysida ransomware employed a secure random number generator to generate the encryption key and subsequently encrypt the data.
“However, an implementation vulnerability existed that enabled us to regenerate the internal state of the random number generator at the time of infection. We successfully decrypted the data using the regenerated random number generator. To the best of our knowledge, this is the first successful decryption of Rhysida ransomware,” the paper announced.
Successful achievement follows similar victories against other Ransomware strains such as Magniber v2, Ragnar Locker, Avaddon, and Hive.
KISA shared a Rhysida Decryption Tool and its manual on its website. The manual instructs users to delete malicious code from the system first to avoid reinfection and warns that 100% decryption is difficult due to encryption characteristics.
The tool searches for infected files and automatically decrypts them, creating copies in each folder where the infected files were stored. The decrypted file name is changed by adding “_dec” to the original file name.
What is Rhysida?
Rhysida Ransomware is a lesser-known threat actor, which was first detected in the second quarter of 2023. The US Cybersecurity Infrastructure and Security Agency (CISA) said that Rhysida is known for going after “targets of opportunity,” including the education, healthcare, manufacturing, information technology, and government sectors. Rhysida offered its tools as a ransomware-as-a-service, and practiced double extortion.
Rhysida was behind the British Library hack. The gang also claimed multiple hospitals in the US, attacked Prince George’s Country school system and auctioned stolen data from Insomniac Games, known for Spider-Man, Spyro the Dragon, and Ratchet & Clan video games.
How did researchers do it?
According to the paper, Rhysida ransomware exclusively uses LibTomCrypt for encryption, and to expedite this process, the ransomware performs parallel processing by creating sub-threads equivalent to the number of processors on the victim's PC.
The first challenge was to identify the factors for regenerating the encryption key.
“Our analysis reveals that the random number generated by the cryptographically secure pseudo-random number generator is based on the execution time of the Rhysida ransomware. The time value used as a seed, being 32-bit data, does not offer a large space for conducting an exhaustive search,” researchers explain.
Second, to determine the encryption targets, it is crucial to identify the order in which the encryption keys were used. Researchers observed that Rhysida lacks explicit rules, and no workaround was needed, as each file system stored modification time for each file.
Third, researchers observed that in Rhysida ransomware’s encryption process, the encryption thread generates 80 bytes of random numbers when encrypting a single file. Of these, the first 48 bytes are used as the encryption key and the initialization vector.
With limited cases of seed, the researchers devised a process to obtain the initial seed for decrypting Rhysida ransomware and deduced the order of file encryption, which considered possible overlaps of modification time for small files.
The recovery tool may help avoid paying ransoms, however, advanced ransomware “not only encrypts data but also carries out data exfiltration, frequently using double extortion tactics that threaten to delete the exfiltrated data.”
Researchers hope that similar work will continue to aid ransomware victims, claiming that “certain ransomware strains can be successfully decrypted.”
More from Cybernews:
Subscribe to our newsletter