Security

Cyber-crime

Korean eggheads crack Rhysida ransomware and release free decryptor tool

Great news for victims of gang behind the big British Library hit in October


Some smart folks have found a way to automatically unscramble documents encrypted by the Rhysida ransomware, and used that know-how to produce and release a handy recovery tool for victims.

Rhysida is a newish ransomware gang that has been around since May last year.

The extortion crew targets organizations in education, healthcare, manufacturing, information technology, and government; the crooks' most high-profile attack to date has been against the British Library. The gang is thought to be linked to the Vice Society criminal group, and it's known to lease out malware and infrastructure to affiliates for a cut of the proceeds.

In research [PDF] published February 9, South Korea's Giyoon Kim, Soojin Kang, Seungjun Baek, Kimoon Kim, and Jongsung Kim explained how they uncovered an "implementation vulnerability" in the random number generator used by Rhysida to lock up victims' data.

This flaw "enabled us to regenerate the internal state of the random number generator at the time of infection," and then decrypt the data, "using the regenerated random number generator," the team wrote. The Korea Internet and Security Agency (KISA) is now distributing the free Rhysida ransomware recovery tool which is the first successful decryptor of this particular strain of ransomware.

"We aspire for our work to contribute to mitigating the damage inflicted by the Rhysida ransomware," the boffins, based variously at Kookmin University and KISA, noted in their paper.

Rhysida ransomware uses LibTomCrypt's ChaCha20-based cryptographically secure pseudo-random number generator (CSPRNG) to create encryption keys for each file.

The random number output by the CSPRNG is based on the ransomware's time of execution – a method the researchers realized limits the possible combinations for each encryption key. Specifically, the malware use the current time-of-execution as a 32-bit seed for the generator. That means the keys can be derived from the time of execution, and used to decrypt and recover scrambled files.

Some additional observations: the Rhysida ransomware uses intermittent encryption. It partially encrypts documents rather than entire files, a technique made popular by LockBit and other gangs because it's faster than encrypting everything. This approach means the criminals are less likely to be caught on the network before they've finished messing up a decent number of documents. It also speeds up the restoration process, though the usual caveats apply: Don't trust machines that have had intruders code running on them. Restoring data is one thing, but the PCs will need wiping to be safe.

The Rhysida malware, once on a victim's Windows PC, locates the documents it wishes to scramble, compiles them into a list, and fires up some simultaneous threads to perform that encryption. Each thread picks the next file on its todo pile to process, and uses the CSPRNG to generate a key to encrypt that document using the standard AES-256 algorithm. The key is stored in the scrambled file albeit encrypted using a hardcoded RSA public key. You'll need the private half of that RSA key pair to recover the file's AES key and unscramble the data.

However, as a result of this research, it's possible to use each file's mtime – the last time of modification – to determine the order of processing, and the time at which each thread executed, and thus the seed to generate the file's AES decryption key, giving you the final decryption key.

The researchers explained that these discoveries allowed them to unlock victims' files "despite the prevailing belief that ransomware renders data irretrievable without paying the ransom."

In November, the US government issued a security advisory that included extensive technical details to help orgs not become the next Rhysida victim. ®

Send us news
6 Comments

It's 2024 and Intel silicon is still haunted by data-spilling Spectre

Go, go InSpectre Gadget

Microsoft squashes SmartScreen security bypass bug exploited in the wild

Plus: Adobe, SAP, Fortinet, VMware, Cisco issue pressing updates

US government excoriates Microsoft for 'avoidable errors' but keeps paying for its products

In what other sphere does a bad supplier not feel pain for its foulups?

Change Healthcare faces second ransomware dilemma weeks after ALPHV attack

Theories abound over who's truly responsible

Cisco creates architecture to improve security and sell you new switches

Hypershield detects bad behavior and automagically reconfigures networks to snuff out threats

OpenAI's GPT-4 can exploit real vulnerabilities by reading security advisories

While some other LLMs appear to flat-out suck

Tough luck, bosses, AI is coming for your job, too

Algorithms as PHBs – who wouldn't want that?

Head of Israeli cyber spy unit exposed ... by his own privacy mistake

Plus: Another local government hobbled by ransomware; Huge rise in infostealing malware; and critical vulns

Microsoft slammed for lax security that led to China's cyber-raid on Exchange Online

CISA calls for 'fundamental, security-focused reforms' to happen ASAP, delaying work on other software

H-1B visa fraud alive and well amid efforts to crack down on abuse

It's the gold ticket favored by foreign techies – and IT giants suspected of gaming the system

Japanese government rejects Yahoo<i>!</i> infosec improvement plan

Just doesn't believe it will sort out the mess that saw data leak from LINE messaging app

Boffins deem Google DeepMind's material discoveries rather shallow

Web titan rejects criticisms, insists AI-found compounds are legit