South Korean researchers exploited an implementation vulnerability in the ransomware strain used by the Rhysida group to enable victims decrypt their files encrypted by the hackers.
In a research paper this month, the researchers from Kookmin University and the Korea Internet and Security Agency (KISA) wrote that finding the implementation flaw “enabled us to regenerate the internal state of the random number generator at the time of infection. We successfully decrypted the data using the regenerated random number generator. … We aspire for our work to contribute to mitigating the damage inflicted by the Rhysida ransomware.”
KISA is distributing the decryption tool
The discovery of the vulnerability and development of the decryption method is boon to the victim’s of Rhysida, a group that was first detected in May 2023 and rapidly became one of the more active ransomware groups in the second half of the year.
The group operates as a ransomware-as-a-service (RaaS) operation, not only running its own campaigns but also making its variant available to affiliates who give a percentage gained from their attacks to the gang. They not only encrypt the data and demand a ransom for the decryption key but also steal data and threaten to release it publicly if the ransom isn’t paid.
Rhysida distributes its ransomware via phishing attacks and uses Cobalt Strike to breach networks and deploy payloads. According to SentinelOne researchers, the Rhysida hackers at times refer to themselves as a “cybersecurity team” that is doing a favor for their victims by targeting their systems to show them the flaws in their security defenses.
Analysts with Check Point outlined the group’s methods and also its probable links to another high-profile ransomware group, Vice Society.
Rhysida has racked up a broad array of victims, including Prospect Medical Holdings – a healthcare group whose 17 hospitals and 166 clinics across the United States were affected by the attack – the British Library, and Chilean Army.
In August, the U.S. Department of Health and Human Services warned of the threat Rhysida posted to the healthcare industry – noting that other targets included organizations in the education, government, manufacturing, IT, and managed service provider sectors – and November the FBI and Cybersecurity and Infrastructure Security Agency (CISA) issued a similar advisory about the group.
In their report, the South Korean researchers wrote that when addressing the ransomware threat, “the most desirable thing is to find the key used to encrypt the data, but this is not an easy task. Since ransomware typically employs a hybrid encryption system, it is difficult to find the key without obtaining the attacker’s private key. Therefore, researchers diligently work to develop decryption methods through reverse engineering by identifying weaknesses in ransomware implementations.”
They analyzed 11 sample files of the Rhysida malware and found that the group uses a cryptographically secure pseudo-random number generator (CSPRNG) to generate its encryption key, which leverages a cryptographically secure algorithm to generate random numbers. CSPRNG is based on the ChaCha20 algorithm provided by the open source LibTomCrypt library and the random number is based on the execution time of the Rhysida ransomware.
In addition, they found that the ransomware uses intermittent – or partial – encryption of the data, which makes encryption faster and more difficult for security tools to detect. They also found that the Rhysida ransomware compiles a list of targets and that the process generates 80 bytes of random numbers when encrypting a single file, with the first 48 bytes used as the encryption key.
They used this information to create the decryption tool.
“Leveraging these vulnerabilities, we successfully reconstructed the encryption key and restored the encrypted system,” the researchers wrote. “Despite the prevailing belief that ransomware renders data irretrievable without paying the ransom.”
This isn’t the first time security researchers have been able to develop decryption keys for ransomware, with vendors offering such keys for threats like Hive and Ragnar Locker.
For that matter, this isn’t the first time a decryption key was developed for Rhysida, according to Fabian Wosar, head of ransomware research at cybersecurity firm Emsisoft. After the first reports about the South Korean researchers’ work surfaced, Wosar noted on X (formerly Twitter) that Avast and French CERT both had found the implementation vulnerability. He also said he also found it in May 2023 and that Emsisoft had decrypted hundreds of systems since.
“They are obviously not the first one who found this vulnerability,” Wosar wrote. “This was independently found by at least three other parties, who chose to circulate it in private instead of seeking publication and alerting Rhysida about their problem.”
He also wrote that the South Korean researchers’ paper “only applies to the Windows PE version of the Rhysida ransomware. It does not apply to the ESXi or the PowerShell payload.”
Recent Articles By Author