Rhysida Ransomware Cracked & Decrypted

Ransomware is malicious software that is a prominent global cyber security threat. Typically, ransomware encrypts data on a system, rendering the victim unable to decrypt it without the attacker’s private key. Now, Cyber security experts have discovered a vulnerability in Rhysida ransomware that lets them rebuild encryption keys and unscramble documents ciphered by the infamous ransomware.

Security researchers from South Korean Kookmin University,  have identified a vulnerability in the infamous ransomware which provides a way for encrypted files to be unscrambled. 

Rhysida which is known to share overlaps with another ransomware crew called Vice Society, leverages a tactic known as double extortion to apply pressure on victims into paying up by threatening to release their stolen data. Once on a victim's Windows PC, Rhysida malware locates the documents it wishes to scramble, compiles them into a list, and fires up some simultaneous threads to perform that encryption. 

The researchers have described how they exploited an implementation flaw in Rhysida’s code to regenerate its encryption key. 

"Rhysida ransomware employed a secure random number generator to generate the encryption key and subsequently encrypt the data... However, an implementation vulnerability existed that enabled us to regenerate the internal state of the random number generator at the time of infection... We successfully decrypted the data using the regenerated random number generator. To the best of our knowledge, this is the first successful decryption of Rhysida ransomware." 

As a consequence of this work, a Rhysida ransomware recovery tool has been developed and is being distributed to the general public through the Korea Internet and Security Agency (KISA). English language instructions for using the decryption tool have also been made available.

The Rhysida decryptor is just the latest in a line of ransomware recovery tools that have appeared in recent years, but there is a problem. Knowledge of the the researchers' publication of their findings and the  availability of a ransomware recovery tool will  alert the hackers who developed Rhysida about the vulnerability and motivate them to fix it.

Ransomware researchers have a dilemma - if they find a flaw in a ransomware that allows them to decrypt victims' data, they have to consider carefully the consequence of making it more widely known, as announcing the method for recovery and providing a tool will only help the hackers to respond.

KISA:      Arxix:     BitDefender:     Hacker News:    The Register:       Tripwire:

Image: unsplash

You Might Also Read: 

What Lessons Have We Learnt From Recent Ransomware Group Attacks?:

DIRECTORY OF SUPPLIERS - Ransomware Protection:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

 

« Iranian Spy Ship Hacked
The Surge In Ransomware & AI Defence Innovations »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 8,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Ascentor

Ascentor

Ascentor specialises in independent information and cyber security consultancy. We’re experienced industry experts, providing cyber security services since 2004.

CloudInsure

CloudInsure

CloudInsure is a Cloud Insurance platform designed to specifically address emerging liabilities within the Cloud environment.

QTS

QTS

QTS Realty Trust, Inc. is a leading provider of secure, compliant data center, hybrid cloud and managed services.

AFCERT

AFCERT

AFCERT is the national Computer Emergency Response Team for Afghanistan.

CopSonic

CopSonic

Copsonic provide a technology solution based on ultrasonic waves to send secure and encrypted data between two devices in order to achieve authentication.

IBLISS Digital Security

IBLISS Digital Security

How cyber-resilient is your business now? We help companies to continuously answer this never-ending C-level question.

ResponSight

ResponSight

ResponSight is a data science company focusing specifically on the challenge of measuring risk and identifying changes in enterprise/corporate networks using behavioural analytics.

WWPass

WWPass

WWPass is a global cybersecurity company that provides password-less authentication and client-side encryption technology.

Spotit

Spotit

Spotit offers a wide-ranging portfolio of technologies and services, from consultancy, assessments and pentesting to the set up of completely new security and network infrastructures.

SLVA Cybersecurity

SLVA Cybersecurity

SLVA Cybersecurity excel at delivering security-as-a-service, fit-for-purpose, within the constraints of realistic budgets and business expectations.

Tozny

Tozny

Tozny offers products with security and privacy in mind that are built on the foundation of end-to-end encryption, and open-source verifiable software.

Tenable

Tenable

Organizations around the world rely on Tenable to help them understand and reduce cybersecurity risk across their attack surface—in the cloud or on-premises, from IT to OT and beyond.

risk3sixty

risk3sixty

Risk3sixty are information and cyber risk management craftsmen helping build business-first security and compliance programs.

Gomboc.ai

Gomboc.ai

Gomboc solve cloud infrastructure security policy deviations by providing tailored remediations to the IaC (Infrastructure as Code).

Wattlecorp Cybersecurity Labs

Wattlecorp Cybersecurity Labs

Wattlecorp Cybersecurity Labs are a group of IT security specialists, ethical hackers, and researchers driven to identify security flaws before cyber threat actors does.

Continent 8 Technologies

Continent 8 Technologies

Continent 8 Technologies is the leading provider of managed hosting, connectivity, cloud and cybersecurity solutions to the global online gambling industry.