Rhysida ransomware decryptor publicly released SC Media

p ppResearchers have publicly released a decryption tool for Rhysida ransomware other cybersecurity experts say they have privately offered this decryption for monthsppA Rhysida ransomware decryption tool has been publicly released and detailed in a preprint paper by South Korean researchers FridayppThe Rhysida decryptor takes advantage of a vulnerability in the ransomwares encryption process enabling the process to be reverse engineered to recover filesppThe researchers from Kookmin University and the Korea Internet Security Agency KISA developed a method to predict the encryption keys generated by Rhysida as well as the order in which the malware encrypts filesppTheir method is incorporated into a free automatic decryption tool available on the KISA websitepp ppThe vulnerability in Rhysidas encryption method was reportedly discovered months earlier by three other independent parties and circulated privately to assist Rhysida victims according to ransomware expert Fabian WosarppWosar who is the head of ransomware research at Emsisoft warned in a post on X that the publication of the decryption method will alert the Rhysida group to the vulnerability giving them the opportunity to fix itppWosar also told SC Media that the publicly available tool is only effective against the Windows Portable Executable PE version of Rhysida and does not apply to the ESXi or PowerShell Rhysida payloads although the vulnerability is still present in the ESXi versionppThe Rhysida ransomware first emerged in May 2023 and has struck several opportunistic targets in healthcare education manufacturing information technology and government according to a joint advisory by the Federal Bureau of Investigation FBI Cybersecurity and Infrastructure Security Agency CISA and MultiState Information Sharing and Analysis Center MSISACppVictims of the Rhysida ransomwareasaservice RaaS group include Prospect Medical Holdings the UK national British Library and Sonyowned video game developer Insomniac Games Rhysida affiliates are known to use double extortion methods of encryption and exfiltration threatening to leak victim information if ransom is not paidppA previous technical analysis of Rhysida by Avasts threat research team in October showed that the malware uses LimTomCrypt for encryption and specifically utilized a Chacha20based cryptographically secure pseudorandom number generator CSPRNG to generate encryption keys and initialization vectorsppThe South Korean researchers revealed a vulnerability in this generation process that makes the encryption keys relatively easy to reverse engineer They found that Rhysida incorporates entropy data before using the CSPRNG that is generated by the rand function in the C standard library and that the seed of the rand function is based on the system time when this function is executed  ppThe correlation between encryption time and the generated encryption key greatly narrows the possible keys generated for a given file Thus it is feasible to identify the correct key by trying multiple iterations against the encrypted files until a file is successfully decryptedppAdditionally the researchers could identify the encryption order of files because the modified time mtime of the files changed when they were encrypted Once a file is successfully decrypted the rest of the files can be decrypted more easily due to the predictable sequence in which Rhysida uses CSPRNG to generate keysppKISA instructs users of the decryption tool to ensure all malicious code is removed from the system prior to use and further notes 100 decryption is difficult and KISA is not responsible for any problems caused by misuse as stated in the English version of the user manual  ppWosar spoke with SC Media about his discovery of the Rhysida encryption vulnerability in May 2023 and his frustration with the researchers decision to make the technical details publicppIt makes it trivial for the threat actors to adapt the payload and fix the vulnerability said Wosar who predicted an updated Rhysida payload will surface within a couple of daysppHe said that since he first discovered the encryption flaw his team has helped restore hundreds of systems and recover petabytes of data likely preventing roughly 100 million in ransom payments by working privately with victims and law enforcementppHe also noted French cybersecurity officials privately published a paper on the Rhysida vulnerability in June and Avast independently discovered the flaw some months laterppAvast Malware Research Director Jakub Křoustek confirmed to SC Media that the company discovered the vulnerability in August 2023 and privately provided a free decryption tool to victims allowing for the recovery of hundreds of thousands of files and restoration of large server infrastructuresppKřoustek said in light of the public Rhysida decryptor release Avast plans to publish its own tool alongside its other public decryptors in the coming days He explained the deciding factors for making a decryption tool public or private saying It heavily depends on the current situation such as the level of activity of the particular ransomware strain its target segment consumer vs enterprise vs SMB and other aspectsppEnterprise victims are more likely to be aware of the private channels through which decryption tools can be accessed compared with private endusers who may benefit more from public decryptor releases Křoustek notedppWosar also pointed out that the type of decryptor makes a difference as decryptors that rely on leaked private keys are safer to release than those that rely on vulnerabilities the threat actors can subsequently patchppHe offered the example of CryptoDefense a ransomware strain that in 2014 was discovered by Symantec to inadvertently leave private encryption keys behind on victims computers Symantec publicized this discovery and within 24 hours the ransomware developer began spreading versions of CryptoDefense without this flaw as noted in a 2014 Emsisoft blog post  ppWosar recommends that researchers who discover similar flaws in malware rather than detailing them publicly should privately reach out to law enforcement or fellow threat researchers like himself in order to best deliver the tools to victims without tipping off threat actorsppIf you find a vulnerability within a ransomware family keep it under wraps inform authorities let them help you get the tool to victims directly which they are happy to do Wosar saidppSC StaffFebruary 21 2024ppBleepingComputer reports that Knight ransomware was observed by KELA threat analysts to have the third iteration of its source code posted for sale by the operations representative Cyclops on RAMP forumsppSC StaffFebruary 21 2024ppCyberScoop reports that ransomware attacks against the industrial sector have reached 905 in 2023 representing a 50 increase over the previous yearppSC StaffFebruary 21 2024ppOfficials at the Prince Georges County Public Schools in Maryland have disclosed that data from 99543 individuals had been compromised following a ransomware attackppOnDemand EventppOnDemand EventppTue Jun 25pp ppBy clicking the Subscribe button below you agree to SC Media Terms and Conditions and Privacy Policypp pp pp
Copyright 2024 CyberRisk Alliance LLC All Rights Reserved
This material may not be published broadcast rewritten or redistributed
in any form without prior authorization
ppYour use of this website constitutes acceptance of CyberRisk Alliance Privacy Policy and Terms Conditionsp