Rhysida Ransomware Cracked, Free Decryption Tool Released

Rhysida Ransomware Cracked

Cybersecurity researchers have discovered an ‘implementation vulnerability’ that has made it possible to reconstruct encryption keys and decrypt data locked by the Rhysida ransomware.

The findings were published last week by a group of researchers from Kookmin University and the Korea Internet and Security Agency (KISA).

“Through an extensive analysis of Rhysida Ransomware, we identified an implementation vulnerability, allowing us to regenerate the encryption key used by the malware,” the researchers said. said.

The development marks the first successful decryption of the ransomware variant, which first emerged in May 2023. recovery tool is distributed via KISA.

The study is also the latest to explore data decryption using implementation vulnerabilities in ransomware Magniber v2Ragnar Locker, Avaddonand Hive.

Rhysidaknown to share overlap with another ransomware crew called Vice Society, uses a tactic known as double extortion to pressure victims to pay up by threatening to release their stolen data.

1707745822 462 Rhysida Ransomware Cracked Free Decryption Tool Released

An advisory published by the US government in November 2023 called out threat actors for orchestrating opportunistic attacks on the education, manufacturing, information technology and government sectors.

A thorough investigation of the ransomware’s internal workings revealed its use of LibTomCrypt for encryption and parallel processing to speed up the process. It has also proven to be implementable intermittent encryption (also called partial encryption) to evade detection by security solutions.

1707745822 753 Rhysida Ransomware Cracked Free Decryption Tool Released

“Rhysida ransomware uses a cryptographically secure pseudo-random number generator (CSPRNG) to generate the encryption key,” the researchers said. “This generator uses a cryptographically secure algorithm to generate random numbers.”

Specifically, the CSPRNG is based on the ChaCha20 algorithm provided by the LibTomCrypt librarywhere the random number generated is also correlated with the time when the Rhysida ransomware is active.

That’s not all. The main process of Rhysida ransomware compiles a list of files to be encrypted. This list is then referenced by several threads created to encode the files simultaneously in a specific order.

“During the encryption process of Rhysida ransomware, the encryption thread generates 80 bytes of random numbers when encrypting a single file,” the researchers noted. “Of this, the first 48 bytes are used as the encryption key and the [initialization vector].”

Using these observations as reference points, the researchers said they were able to pinpoint the initial starting point for decrypting the ransomware, determine the “random” order in which the files were encrypted, and ultimately recover the data without paying a ransom. have to pay.

“While these studies are limited in scope, it is important to recognize that some ransomware exists […] can be successfully decoded,” the researchers concluded.

#Rhysida #Ransomware #Cracked #Free #Decryption #Tool #Released

Notify of
Inline Feedbacks
View all comments
Previous Post
Email Attacks

Warning: CISA warns of active ‘Roundcube’ email attacks

Next Post
Package Repository Security

CISA and OpenSSF Release Framework for package repository security

Related Posts