Korean eggheads crack Rhysida ransomware and release free decryptor tool

Some smart folks have found a way to automatically unscramble documents encrypted by the Rhysida ransomware, and used that know-how to produce and release a handy recovery tool for victims.

Rhysida is a newish ransomware gang that has been around since May last year.

The extortion crew targets organizations in education, healthcare, manufacturing, information technology, and government; the crooks’ most high-profile attack to date has been against the British Library. The gang is thought to be linked to the Vice Society criminal group, and it’s known to lease out malware and infrastructure to affiliates for a cut of the proceeds.

In research [PDF] published February 9, South Korea’s Giyoon Kim, Soojin Kang, Seungjun Baek, Kimoon Kim, and Jongsung Kim explained how they uncovered an “implementation vulnerability” in the random number generator used by Rhysida to lock up victims’ data.

This flaw “enabled us to regenerate the internal state of the random number generator at the time of infection,” and then decrypt the data, “using the regenerated random number generator,” the team wrote. The Korea Internet and Security Agency (KISA) is now distributing the free Rhysida ransomware recovery tool which is the first successful decryptor of this particular strain of ransomware.

“We aspire for our work to contribute to mitigating the damage inflicted by the Rhysida ransomware,” the boffins, based variously at Kookmin University and KISA, noted in their paper.

Rhysida ransomware uses LibTomCrypt‘s ChaCha20-based cryptographically secure pseudo-random number generator (CSPRNG) to create encryption keys for each file.

The random number output by the CSPRNG is based on the ransomware’s time of execution – a method the researchers realized limits the possible combinations for each encryption key. Specifically, the malware use the current time-of-execution as a 32-bit seed for the generator. That means the keys can be derived from the time of execution, and used to decrypt and recover scrambled files.

Some additional observations: the Rhysida ransomware uses intermittent encryption. It partially encrypts documents rather than entire files, a technique made popular by LockBit and other gangs because it’s faster than encrypting everything. This approach means the criminals are less likely to be caught on the network before they’ve finished messing up a decent number of documents. It also speeds up the restoration process, though the usual caveats apply: Don’t trust machines that have had intruders code running on them. Restoring data is one thing, but the PCs will need wiping to be safe.

The Rhysida malware, once on a victim’s Windows PC, locates the documents it wishes to scramble, compiles them into a list, and fires up some simultaneous threads to perform that encryption. Each thread picks the next file on its todo pile to process, and uses the CSPRNG to generate a key to encrypt that document using the standard AES-256 algorithm. The key is stored in the scrambled file albeit encrypted using a hardcoded RSA public key. You’ll need the private half of that RSA key pair to recover the file’s AES key and unscramble the data.

However, as a result of this research, it’s possible to use each file’s mtime – the last time of modification – to determine the order of processing, and the time at which each thread executed, and thus the seed to generate the file’s AES decryption key, giving you the final decryption key.

The researchers explained that these discoveries allowed them to unlock victims’ files “despite the prevailing belief that ransomware renders data irretrievable without paying the ransom.”

In November, the US government issued a security advisory that included extensive technical details to help orgs not become the next Rhysida victim. ®

READ MORE HERE