February 12, 2024 at 10:48AM
South Korean researchers discovered and publicly disclosed a flaw in Rhysida ransomware, enabling the creation of a free Windows decryptor. This ransomware is known for targeting healthcare organizations and was the subject of a warning by the FBI and CISA for attacks against various industries. The flaw allowed for the recovery of encrypted data without the need for the attacker’s private key. An automated decryption tool is now available for victims.
From the meeting notes, it is clear that the Rhysida ransomware’s encryption flaw has been publicly disclosed by South Korean researchers, leading to the creation of a Windows decryption tool to recover files for free. This flaw specifically targets the Rhysida Windows encryptor, and it exploits vulnerabilities in the ransomware’s encryption process, such as the predictable seed value and intermittent encryption technique.
As a result, the South Korean researchers, in collaboration with KISA, have developed a systematic method to regenerate the CSPRNG state by trying out different seed values within the expected range. This approach has enabled them to create a valid key to reverse the data encryption without requiring the actual private key.
Furthermore, an automated decryption tool for Windows is available on KISA’s website, accompanied by a technical paper with usage instructions in both Korean and English. However, it’s important to note that the tool’s safety and effectiveness cannot be guaranteed.
Ransomware expert Fabian Wosar has provided insights on the flaw, highlighting that it only works for files encrypted by the Rhysida Windows encryptor and not for files encrypted on VMware ESXi or via its PowerShell-based encryptor.
It’s also been revealed that the encryption flaw has been privately exploited for months by cybersecurity firms and governments worldwide since at least May 2023. Although the South Korean researchers have justified publicly disclosing the flaw as a means to mitigate the damage and contribute to the resilience of ransomware victims, Wosar has cautioned that the ransomware operation will likely fix the bug in days, potentially making file recovery without paying a ransom demand impossible.
Overall, the meeting notes provide a comprehensive overview of the encryption flaw in the Rhysida ransomware and the subsequent efforts to develop a decryption tool, along with the potential implications of publicly disclosing the flaw.