Recent research has highlighted a critical vulnerability in the Rhysida ransomware, allowing experts to reconstruct encryption keys and decrypt compromised data. This groundbreaking discovery was made by researchers from Kookmin University and the Korea Internet and Security Agency (KISA), who published their findings last week.
The team noted that through meticulous analysis of the ransomware’s architecture, they identified what they termed an “implementation vulnerability.” This weakness enabled them to recreate the encryption key employed by the ransomware, marking the first instance of successful decryption for Rhysida, which emerged in May 2023. In response to this development, KISA is currently distributing a recovery tool to assist affected users.
This study represents a continuation of research strategies that exploit vulnerabilities in ransomware implementations, similar to efforts made against other malware strains like Magniber v2 and Avaddon. Furthermore, Rhysida has garnered attention for its use of a double extortion strategy, compelling victims to pay up under the threat of releasing stolen data.
In November 2023, a U.S. government advisory highlighted that threat actors were targeting critical sectors, including education and manufacturing. A thorough investigation into the inner workings of Rhysida revealed its reliance on LibTomCrypt for encryption and the employment of parallel processing to enhance its efficiency. The malware also utilizes intermittent encryption techniques to evade detection, further complicating mitigation efforts.
The researchers observed that Rhysida employs a cryptographically secure pseudo-random number generator (CSPRNG) to create encryption keys based on the ChaCha20 algorithm. This method produces random numbers while correlating to the malware’s runtime, lending a level of unpredictability in its operations. However, the malware’s system still compiles a list of target files to encrypt, with threads executing the encryption process in a specified sequence.
During the encryption process, the threads generated 80 bytes of random numbers, where the first 48 bytes serve as both the encryption key and the initialization vector. Utilizing these observations, researchers successfully retrieved the initial seed necessary for decryption, reconstructed the file encryption order, and ultimately restored the data without succumbing to ransom demands.
Despite the limited scope of their study, the researchers emphasized the importance of acknowledging that certain ransomware strains can be decrypted successfully. However, security expert Fabian Wosar added a cautionary note, revealing that the discovery had been made by at least three different parties prior to this publication, who opted to keep their findings private.
Wosar confirmed that while they have successfully decrypted numerous systems, the publication specifically pertains to the Windows PE version of Rhysida ransomware and does not extend to its ESXi or PowerShell variants. This highlights the variability within ransomware deployments and the challenges they pose to cybersecurity efforts.
