Researchers in South Korea have successfully cracked the encryption used by the Rhysida ransomware gang, allowing them to develop a recovery tool for victims of the malicious attacks. The Rhysida gang, which has been active since May last year, targets organizations across various sectors such as education, healthcare, manufacturing, information technology, and government. Their most notable attack so far was against the British Library, and they are believed to be linked to the criminal group known as Vice Society.

In a research paper published on February 9, a team of researchers from South Korea discovered a vulnerability in the random number generator used by Rhysida to lock up victims’ data. By exploiting this flaw, they were able to decrypt the data using a regenerated random number generator. The Korea Internet and Security Agency (KISA) is now distributing a free Rhysida ransomware recovery tool, making it the first successful decryptor for this specific strain of ransomware.

The researchers, based at Kookmin University and KISA, expressed their hope that their work would help mitigate the damage caused by the Rhysida ransomware. The ransomware uses LibTomCrypt’s ChaCha20-based cryptographically secure pseudo-random number generator to create encryption keys for each file. By analyzing the method used by the ransomware to generate encryption keys, the researchers were able to develop a tool to recover scrambled files.

One key observation made by the researchers was that the Rhysida ransomware uses intermittent encryption, meaning it partially encrypts documents rather than the entire file. This technique, employed by other ransomware gangs as well, speeds up the encryption process and makes it less likely for the criminals to be detected before causing significant damage. However, restoring data encrypted by Rhysida ransomware should be approached with caution, as the compromised machines may still pose a security risk.

The Rhysida malware, once installed on a victim’s Windows PC, targets specific documents for encryption using a multi-threaded approach. Each thread utilizes the CSPRNG to generate encryption keys, which are stored in the scrambled file and encrypted using a hardcoded RSA public key. The researchers were able to use information such as the last modification time of files to determine the order of encryption, thus enabling them to decrypt the files without paying the ransom.

This breakthrough in decrypting Rhysida-encrypted files challenges the common belief that ransomware renders data irretrievable without meeting the ransom demands. In response to the growing threat posed by ransomware attacks, the US government issued a security advisory in November to help organizations protect themselves from becoming victims of malicious ransomware groups like Rhysida.

Overall, the successful decryption of Rhysida-encrypted files by researchers in South Korea marks a significant milestone in the ongoing battle against ransomware attacks. By understanding the vulnerabilities exploited by ransomware gangs, cybersecurity experts can develop tools to help victims recover their data and prevent future attacks.

Извор линк