Rhysida ransomware cracked! Free decryption tool released

By neub9
2 Min Read

Good news for organizations affected by the notorious Rhysida ransomware.

A group of South Korean security researchers has discovered a vulnerability in the infamous ransomware that allows encrypted files to be unscrambled.

Researchers from Kookmin University have detailed in a technical paper how they exploited an implementation flaw in Rhysida’s code to regenerate its encryption key.

“Rhysida ransomware employed a secure random number generator to generate the encryption key and subsequently encrypt the data. However, an implementation vulnerability existed that enabled us to regenerate the internal state of the random number generator at the time of infection. We successfully decrypted the data using the regenerated random number generator. To the best of our knowledge, this is the first successful decryption of Rhysida ransomware.”

A Rhysida ransomware recovery tool has been developed and is being distributed to the general public by the Korea Internet and Security Agency (KISA).

English language instructions for using the decryption tool are also available.

Unfortunately, the release of the recovery tool and the publication of the researchers’ findings may alert the malicious hackers behind Rhysida to the defect and prompt them to fix it.

Ransomware researchers face a dilemma when they find a flaw that allows them to decrypt victims’ data. They must carefully consider whether to make it public or not. Publicizing the flaw and the recovery method can help affected organizations learn of a way to recover their data without paying a ransom.

However, the existence of a recovery tool can also prompt cybercriminals to fix their code, depriving victims of a potential cure.

The Rhysida decryptor is the latest in a line of ransomware recovery tools that have appeared in recent years, including utilities to help the victims of Yanlouwang, MegaCortex, Akira, REvil, and a version of Conti.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of Tripwire.

Share This Article
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *