iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
South Korean researchers have developed free decryption methods for the Rhysida ransomware gang, providing relief to those whose data has been encrypted by the hacking group.
Researchers from Kookmin University, with the support of the Korea Internet and Security Agency (KISA), exploited vulnerabilities in Rhysida’s encryption methods to reconstruct the encryption key and use it to restore encrypted data.
“Rhysida ransomware employed a secure random number generator to generate the encryption key and subsequently encrypt the data,” said researchers Giyoon Kim, Soojin Kang, Seungjun Baek, Kimoon Kim and Jongsun Kim in a joint paper analysing Rhysida.
“However, an implementation vulnerability existed that enabled us to regenerate the internal state of the random number generator at the time of infection.
“We successfully decrypted the data using the regenerated random number generator. To the best of our knowledge, this is the first successful decryption of Rhysida ransomware.”
The researchers said this proves, “despite the prevailing belief that ransomware renders data irretrievable without paying the ransom”, that the decryption of data encrypted by threat actors is possible.
“We anticipate further studies in this direction to aid ransomware victims and that our findings will benefit those affected by the Rhysida ransomware,” they said.
Following this, the KISA has released a Rhysida decryption tool on its website, along with a user manual, all of which can be used for free by victims of the threat group.
The tool works by scanning for encrypted files and decrypting them automatically, creating new files with “_dec” added to the name to indicate decryption.
The KISA manual recommends users delete malware from their devices before decrypting to avoid re-encryption. It also says that 100 per cent decryption is unlikely and difficult.
Rhysida is a lesser-known ransomware group that has begun making a name for itself over the last six months.
The group claimed responsibility for the attack on the British Library back in November last year, which the library is still struggling to recover from, with some systems still down.
A month later, the threat actor attacked major video game developer Insomniac Games, the group responsible for the Spider-Man, Spyro and Wolverine titles, with the latter still under development.
The attack leaked the details of staff and developers, as well as screenshots and documents relating to the new title.
The group set a deadline for ransom to be paid, and it published 1.67 terabytes of stolen data minutes after the deadline passed.
Be the first to hear the latest developments in the cyber industry.
