Summary:
A group of researchers from Kookmin University and the Korea Internet and Security Agency (KISA) uncovered an implementation vulnerability enabling them to reconstruct encryption keys and decrypt data locked by Rhysida ransomware. “Rhysida ransomware employed a secure random number generator to generate the encryption key and subsequently encrypt the data. However, an implementation vulnerability existed that enabled us to regenerate the internal state of the random number generator at the time of infection. We successfully decrypted the data using the regenerated random number generator,” noted researchers.

A recovery tool has been released that can be used by victims to recover their files locked by Rhysida ransomware without having to pay ransom demands. Before using the tool, it is recommended to back up encrypted files separately in the event that the decryption fails.

Link to recovery tool:
https://seed.kisa.or.kr/kisa/Board/166/detailView.do

Security Officer Comments:
Rhysida ransomware initiated operations in May 2023. Since then it has launched numerous attacks targeting education, manufacturing, and government sectors. Like any other ransomware gang, Rhysida actors engage in double extortion schemes where they pressure victims into paying a ransom by threatening to release their data to the public. The latest release of a free decryptor tool will likely put a halt to Rhysida operations until the actors come out with an updated encryptor. In the meantime, victims who have been unable to recover their files can now do so using the tool provided by KISA.

Link(s):
https://thehackernews.com/2024/02/rhysida-ransomware-cracked-free.html