Good News! Rhysida Ransomware has been decrypted, A Breakthrough.

In a significant breakthrough, cybersecurity researchers have successfully cracked the Rhysida ransomware. This achievement marks a pivotal moment in the fight against cyber threats, as it demonstrates the potential to decrypt data locked by ransomware without succumbing to the demands of cybercriminals.

The Rhysida Ransomware – What is it? What does it do?

In simple terms, Rhysida is a nasty computer virus belonging to the category of ransomware, that showed up in May 2023. It has been causing trouble in many places like schools, hospitals, factories, and government offices. The virus locks up important files and asks for money to unlock them.

In a more technical terminology, Rhysida is a relatively new ransomware strain that first appeared in May 2023. It is known for its opportunistic attacks on various sectors, including education, healthcare, manufacturing, information technology, and government. Rhysida operates on a ransomware-as-a-service model and practices double extortion, threatening to release stolen data unless a ransom is paid.

How Did They Beat It?

Researchers from Kookmin University and the Korea Internet and Security Agency (KISA) discovered an “implementation vulnerability” in Rhysida ransomware. This vulnerability allowed them to regenerate the encryption key used by the malware and decrypt the data. This is the first successful decryption of the Rhysida ransomware strain.

The researchers’ findings were published, and a recovery tool is being distributed through KISA. This marks the first successful decryption of the Rhysida ransomware strain. The researchers hope their work will contribute to mitigating the damage inflicted by the Rhysida ransomware.

The Decryption Process of the Rhysida Ransomware

Rhysida ransomware uses LibTomCrypt for encryption and employs parallel processing to speed up the process. It generates 80 bytes of random numbers when encrypting a single file, with the first 48 bytes used as the encryption key and the initialization vector. The researchers were able to retrieve the initial seed for decrypting the ransomware, determine the “randomized” order in which the files were encrypted, and ultimately recover the data without having to pay a ransom.

The Decryption Tool for the Rhysida Ransomware

A recovery tool is being distributed through KISA. The tool searches for infected files and automatically decrypts them, creating copies in each folder where the infected files were stored. The decrypted file name is changed by adding “_dec” to the original file name.

In simpler terms, KISA is giving out a tool, which can be found here, that can find files locked by the virus and unlock them. It makes a copy of each unlocked file in the same folder where the locked file was. The name of the unlocked file is the same as the locked file, but with “_dec” added to the end.

Update

Following the publication of the story, security researcher Fabian Wosar revealed that the weaknesses in Rhysida ransomware were discovered by at least three other parties, who chose to circulate it in private instead of seeking publication and alerting Rhysida about their problem.

“Avast found it in October last year, the French CERT authored and published a private paper about it in June, and I found the vulnerability in May last year,” Wosar said. “I don’t know about the Avast and CERT data, but we [have] decrypted hundreds of systems since then.”

Wosar also cautioned that the paper only applies to the Windows PE version of the Rhysida ransomware. It does not apply to the ESXi or the PowerShell payload.

Conclusion

This successful decryption of Rhysida ransomware is a significant achievement in the field of cybersecurity. It follows similar victories against other ransomware strains such as Magniber v2, Ragnar Locker, Avaddon, and Hive. While these studies have a limited scope, they highlight the possibility that certain ransomwares can be successfully decrypted. This breakthrough serves as a beacon of hope in the ongoing battle against cyber threats.

---

You think you have a story worth everyone’s time? SUBMIT A STORY and we will publish it