Rhysida ransomware encryption can be beaten - here’s how

Exterior signage for the British Library, which was impacted by a ransomware attack by the Rhysida cyber criminal group in October 2023
(Image credit: Getty Images)

The Rhysida ransomware group has been wreaking havoc globally in recent months, having claimed responsibility for the devastating attack on the British Library in late 2023. But now a group of researchers have revealed a way to unlock files encrypted by the gang, offering hope for beleaguered victims. 

The researchers, from Kookmin University and the Korea Internet and Security Agency (KISA), have posted a paper which explains how they discovered a method for decrypting files locked by Rhysida.

The ransomware uses a secure random number generator to generate the encryption key and subsequently encrypt the data. But the paper explains how an “implementation vulnerability” exists that enabled them to regenerate the internal state of the random number generator at the time of infection.

Decrypting data seized by Rhysida ransomware requires reconstruction of the encryption key and determination of the order of file encryption, the researchers said, both of which they were able to do.

They said that despite the “prevailing belief that ransomware renders data irretrievable without paying the ransom,” they were able to reconstruct the encryption key and restore the encrypted system.

“We successfully decrypted the data using the regenerated random number generator. To the best of our knowledge, this is the first successful decryption of Rhysida ransomware. We aspire for our work to contribute to mitigating the damage inflicted by the Rhysida ransomware,” they said. KISA has also made a decryption tool available on its website.

Security company Avast also said that it has also now publicly released a decryption tool. It said that it had been aware of a cryptographic vulnerability in this ransomware for several months and, since August 2023, and had been covertly providing victims with its decryption tool.

“Thanks to our collaboration with law enforcement units, we were able to quietly assist numerous organizations by decrypting their files for free, enabling them to regain functionality.”

Avast said that a number of factors affect the encryption and decryption of the files, including the drive letters, order of files, number of CPU cores, and format of files before encryption, and sets a number of rules that have to be followed when attempting to decrypt files.

“Given the weakness in Rhysida ransomware was publicly disclosed recently, we are now publicly releasing our decryptor for download to all victims of the Rhysida ransomware,” Avast said.

The fight against Rhysida ransomware gains momentum

Other security researchers were apparently also aware of the flaw. Fabian Wosar, head of ransomware research at Emsisoft said on X that the flaw had been known about by others who had been using it to decrypt ‘hundreds of systems’.

The Rhysida group has been attacking a wide range of sectors from education, healthcare, manufacturing, tech, and government sectors since May of last year.

The gang has claimed responsibility for the ransomware attack on the British Library, from which it is still recovering. The attack caused massive disruption with the attackers encrypting or deleting parts of the British Library’s IT systems, and copying about 600 gigabytes of data which they then released onto their site on the dark web.

The US Cybersecurity and Infrastructure Agency (CISA) warned that Rhysida actors have been spotted operating in a ransomware as a service capacity, where the ransomware tools and infrastructure are leased out in a profit-sharing model.

Any ransoms paid are then split between the group and the affiliates.

Rhysida also engages in “double extortion” demanding a ransom payment to decrypt victim data and threatening to publish the sensitive exfiltrated data unless the ransom is paid. The gang asks for its ransom payments in Bitcoin.

After it has encrypted a victim’s data, the ransomware drops a ransom note named “CriticalBreachDetected” as a PDF file, which provides each company with a unique code and instructions to contact the group via a Tor-based portal.

Steve Ranger

Steve Ranger is an award-winning reporter and editor who writes about technology and business. Previously he was the editorial director at ZDNET and the editor of silicon.com.