Rhysida Ransomware Cracked, Free Decryption Tool Released

February 12, 2024NewsroomVulnerability / Data Recovery

Rhysida Ransomware Cracked

Cybersecurity researchers have discovered an “implementation vulnerability” that makes it possible to reconstruct encryption keys and decrypt data locked by the Rhysida ransomware.

The findings were published last week by a team of researchers from Kookmin University and the Korea Internet and Security Agency (KISA).

“Through a comprehensive analysis of the Rhysida Ransomware, we identified an implementation vulnerability, which allowed us to change the encryption key used by the malware,” the researchers said. SAYS.

The development marks the first successful decryption of the ransomware strain, which first appeared in May 2023. recovery tool distributed through KISA.


The study is also the latest to achieve data decryption by exploiting vulnerabilities in ransomware implementations, after Magniber v2Ragnar Locker, Avaddonand Hive.

Rhysidawhich is known to share overlaps with another ransomware crew called Vice Society, uses a tactic known as double extortion to apply pressure on victims to pay by threatening to release their stolen data.

An advisory published by the US government in November 2023 calls on threat actors to conduct opportunistic attacks targeting the education, manufacturing, information technology, and government sectors.

A thorough examination of the inner workings of the ransomware revealed its use of LibTomCrypt for encryption as well as parallel processing to speed up the process. It is also found to implement intermittent encryption (aka partial encryption) to avoid detection by security solutions.

“Rhysida ransomware uses a cryptographically secure pseudo-random number generator (CSPRNG) to generate the encryption key,” the researchers said. “This generator uses a cryptographically secure algorithm to generate random numbers.”

Specifically, CSPRNG is based on ChaCha20 Algorithm provided by LibTomCrypt librarywith a random number generated that is also related to the time during which the Rhysida ransomware is running.


That’s not all. The main process of Rhysida ransomware compiles a list of files to be encrypted. This list is then referenced by various threads that are created to simultaneously encrypt files in a specific order.

“In the Rhysida ransomware encryption process, the encryption thread generates 80 bytes of random numbers when encrypting a file,” the researchers noted. “In this, the first 48 bytes are used as the encryption key and the (initialization vector).”

Using these observations as reference points, the researchers say they obtained the initial seed for decrypting the ransomware, determining the “randomized” order in which the files were encrypted, and the finally recover data without having to pay ransom.

“Although these studies have a limited scope, it is important to recognize that some ransomwares (…) can be successfully decrypted,” the researchers concluded.

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment