This is good news for organizations that fell victim to the notorious Rhysida ransomware.
A group of South Korean security researchers have discovered a vulnerability in the notorious ransomware. The vulnerability provides a way to decrypt encrypted archives.
In a technical paper about their findings, Kookmin University researchers described how they exploited an implementation flaw in Rhysida’s code to regenerate its encryption keys.
“The Rhysida ransomware uses a secure random number generator to generate encryption keys and subsequently encrypt the data. However, there is an implementation vulnerability that allows us to regenerate the internal state of the random number generator during infection. We successfully decrypted the data Using a regenerated random number generator. To our knowledge, this is the first successful decryption of Rhysida ransomware.”
In due course, the Rhysida ransomware recovery tool was developed and distributed to the public through the Korea Internet Security Agency (KISA).
Instructions in English for using the decryption tool are also provided.
Fortunately, for those who don’t understand Korean, we have English instructions on how to use the decryption tool.
Unfortunately, disclosing the existence of ransomware recovery tools does come with a price. The release of the tool and the results published by the researchers will inevitably alert the malicious hackers behind Rhysida to its flaw and will almost certainly ensure that it is fixed.
Ransomware researchers are faced with a dilemma. If they discover a flaw in ransomware that allows them to decrypt victim data, they must carefully consider whether to make it public.
Announcing the flaw and recovery method can help hacked organizations understand there is a way to recover their material without paying a ransom.
Advocacy helps spread the message that solutions are possible.
But the presence of recovery tools may also prompt cybercriminals to repair their code, depriving victims of potential treatments. So, is it better not to announce the existence of recovery tools?
This is not an easy question to answer.
The Rhysida decryptor is just the latest in a series of ransomware recovery tools that have emerged in recent years, including utilities to help victims of Yanlouwang, MegaCortex, Akira, REvil and Conti versions.
Editor’s Note: The opinions expressed in this guest author article are those of the contributor and do not necessarily reflect the views of Tripwire.
