Users can now decrypt many systems plagued by Rhysida ransomware, courtesy of Korean researchers who discovered a flaw in the malware—at least for now.
Researchers from Kookmin University in Seoul and the Korea Internet and Security Agency (KISA) posted a paper to arXiv earlier this month detailing an “implementation vulnerability” in the ransomware. The Rhysida group’s namesake ransomware has earned infamy since its emergence in the spring of 2023. US authorities issued an advisory about the group in November 2023 amid high-profile attacks on healthcare institutions, the public sector, and even the British Library.
According to the South Korean team’s findings, Rhysida’s developers made mistakes in their usage of intermittent encryption, a technique that speeds up ransomware infection by only partially encrypting files.
Intermittent encryption is an effective ransomware tactic, as partial encryption is enough to make the data irrecoverable without a key. However, the way Rhysida ransomware handled the generation of encryption keys included system time along with other entropy data, introducing a measure of predictability and greatly limiting the number of potential keys. This allowed the Korean researchers to test that reduced range of keys against any given Rhysida-locked file until, voilà, it worked.
Rhysida’s developers also tried to hasten encryption times by including parallel processing, in which a main process compiles a list of files to be encrypted in a specific order. However, this implementation modified timestamps in a way that allowed the researchers to unravel the timeline of the encryption sequence. Once they discovered one working key using the aforementioned method, the researchers found, the timestamp data made the rest of the remaining keys even more predictable to guess.
“This is a common programming mistake that can be made by developers who don’t have a solid understanding of random number generators,” Giyoon Kim, a doctoral student at Kookmin University's Digital Forensics & Cryptoanalysis Lab who worked on the report, told IT Brew via email.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
KISA has released a program to help Rhysida victims recover data on their website, though it warned in an English-language manual that “100% decryption is difficult.” The research team believes fixing Rhysida won’t be an easy task.
“Ultimately, a core part of ransomware encryption can be seen as the key generation process, and it seems that this part needs to be modified in Rhysida,” Kim wrote. “However, we believe that such a fix would require effort.”
However, SC Magazine reported that the public dissemination of details about the flaws has irked some experts who worry Rhysida will adapt on a much faster timeline.
Fabian Wosar, the head of ransomware research at security firm Emsisoft, told the magazine his firm had discovered the flaws in May 2023. He countered it would be “trivial for the threat actors to adapt the payload and fix the vulnerability," and that the group would likely do so "within a couple of days." He added the KISA tool is only effective against Windows Portable Executable (PE) strains of Rhysida.
Jakub Křoustek, Avast’s director of malware research, also told SC Magazine Avast had separately discovered the flaws in August 2023. An Avast decryption tool the firm previously distributed to victims behind closed doors will soon be publicly available given the public report, Křoustek added.
“We believe that disclosing the decryption process should be treated as a separate issue from threat actors realizing their vulnerabilities,” Kim told IT Brew.
“There are certainly victims who cannot contact the ransomware attacker, and some of these victims may need immediate recovery,” he added. “We believe that if we can provide practical support to someone in immediate need, we should make the tool public.”