HomeSecurity ArchitectureKorean researchers successfully decrypt Rhysida ransomware and develop free decryption tool

Korean researchers successfully decrypt Rhysida ransomware and develop free decryption tool

Published on

spot_img

Researchers in South Korea have successfully cracked the encryption used by the Rhysida ransomware gang, allowing them to develop a recovery tool for victims of the malicious attacks. The Rhysida gang, which has been active since May last year, targets organizations across various sectors such as education, healthcare, manufacturing, information technology, and government. Their most notable attack so far was against the British Library, and they are believed to be linked to the criminal group known as Vice Society.

In a research paper published on February 9, a team of researchers from South Korea discovered a vulnerability in the random number generator used by Rhysida to lock up victims’ data. By exploiting this flaw, they were able to decrypt the data using a regenerated random number generator. The Korea Internet and Security Agency (KISA) is now distributing a free Rhysida ransomware recovery tool, making it the first successful decryptor for this specific strain of ransomware.

The researchers, based at Kookmin University and KISA, expressed their hope that their work would help mitigate the damage caused by the Rhysida ransomware. The ransomware uses LibTomCrypt’s ChaCha20-based cryptographically secure pseudo-random number generator to create encryption keys for each file. By analyzing the method used by the ransomware to generate encryption keys, the researchers were able to develop a tool to recover scrambled files.

One key observation made by the researchers was that the Rhysida ransomware uses intermittent encryption, meaning it partially encrypts documents rather than the entire file. This technique, employed by other ransomware gangs as well, speeds up the encryption process and makes it less likely for the criminals to be detected before causing significant damage. However, restoring data encrypted by Rhysida ransomware should be approached with caution, as the compromised machines may still pose a security risk.

The Rhysida malware, once installed on a victim’s Windows PC, targets specific documents for encryption using a multi-threaded approach. Each thread utilizes the CSPRNG to generate encryption keys, which are stored in the scrambled file and encrypted using a hardcoded RSA public key. The researchers were able to use information such as the last modification time of files to determine the order of encryption, thus enabling them to decrypt the files without paying the ransom.

This breakthrough in decrypting Rhysida-encrypted files challenges the common belief that ransomware renders data irretrievable without meeting the ransom demands. In response to the growing threat posed by ransomware attacks, the US government issued a security advisory in November to help organizations protect themselves from becoming victims of malicious ransomware groups like Rhysida.

Overall, the successful decryption of Rhysida-encrypted files by researchers in South Korea marks a significant milestone in the ongoing battle against ransomware attacks. By understanding the vulnerabilities exploited by ransomware gangs, cybersecurity experts can develop tools to help victims recover their data and prevent future attacks.

Source link

Latest articles

Parrot 7.3 Released with New Menu System and Improved Daily Usability

Parrot 7.3 Released: A Focus on Refinement and Usability In a strategic move, the Parrot...

How Renown Health Is Transforming Its Digital ID Strategy

Renown Health Innovates Digital Identity Management with Advanced Security Measures Renown Health, a prominent not-for-profit...

Medtronic Breach Affects 3.8 Million Individuals

Medtronic, one of the leading medical technology manufacturers globally, has recently taken steps to...

Ransomware Groups Adopt Citrix Bleed 2, BYOVD, and Supply Chain Credentials

Anubis Ransomware Operation: Exploiting Vulnerabilities for Malicious Gains The Anubis ransomware operation has recently been...

More like this

Parrot 7.3 Released with New Menu System and Improved Daily Usability

Parrot 7.3 Released: A Focus on Refinement and Usability In a strategic move, the Parrot...

How Renown Health Is Transforming Its Digital ID Strategy

Renown Health Innovates Digital Identity Management with Advanced Security Measures Renown Health, a prominent not-for-profit...

Medtronic Breach Affects 3.8 Million Individuals

Medtronic, one of the leading medical technology manufacturers globally, has recently taken steps to...