A Rhysida ransomware decryption tool has been publicly released and detailed in a preprint paper by South Korean researchers Friday.
The Rhysida decryptor takes advantage of a vulnerability in the ransomware’s encryption process, enabling the process to be reverse engineered to recover files.
The researchers from Kookmin University and the Korea Internet & Security Agency (KISA) developed a method to predict the encryption keys generated by Rhysida as well as the order in which the malware encrypts files.
Their method is incorporated into a free automatic decryption tool available on the KISA website.
The vulnerability in Rhysida’s encryption method was reportedly discovered months earlier by three other independent parties, and circulated privately to assist Rhysida victims, according to ransomware expert Fabian Wosar.
Wosar, who is the head of ransomware research at Emsisoft, warned in a post on X that the publication of the decryption method will alert the Rhysida group to the vulnerability, giving them the opportunity to fix it.
Wosar also told SC Media that the publicly available tool is only effective against the Windows Portable Executable (PE) version of Rhysida and does not apply to the ESXi or PowerShell Rhysida payloads, although the vulnerability is still present in the ESXi version.
Rhysida generates encryption key based on system time
The Rhysida ransomware first emerged in May 2023 and has struck several opportunistic targets in healthcare, education, manufacturing, information technology and government, according to a joint advisory by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA) and Multi-State Information Sharing and Analysis Center (MS-ISAC).
Victims of the Rhysida ransomware-as-a-service (RaaS) group include Prospect Medical Holdings, the UK national British Library and Sony-owned video game developer Insomniac Games. Rhysida affiliates are known to use double extortion methods of encryption and exfiltration, threatening to leak victim information if ransom is not paid.
A previous technical analysis of Rhysida by Avast’s threat research team in October showed that the malware uses LimTomCrypt for encryption and specifically utilized a Chacha20-based cryptographically secure pseudo-random number generator (CSPRNG) to generate encryption keys and initialization vectors.
The South Korean researchers revealed a vulnerability in this generation process that makes the encryption keys relatively easy to reverse engineer. They found that Rhysida incorporates entropy data before using the CSPRNG that is generated by the “rand” function in the C standard library, and that the seed of the “rand” function is based on the system time when this function is executed.
The correlation between encryption time and the generated encryption key greatly narrows the possible keys generated for a given file. Thus, it is feasible to identify the correct key by trying multiple iterations against the encrypted files until a file is successfully decrypted.
Additionally, the researchers could identify the encryption order of files because the modified time (mtime) of the files changed when they were encrypted. Once a file is successfully decrypted, the rest of the files can be decrypted more easily due to the predictable sequence in which Rhysida uses CSPRNG to generate keys.
KISA instructs users of the decryption tool to ensure all malicious code is removed from the system prior to use and further notes “100% decryption is difficult” and “KISA is not responsible for any problems caused by misuse,” as stated in the English version of the user manual.
Rhysida decryption secretly available to ransomware victims for months
Wosar spoke with SC Media about his discovery of the Rhysida encryption vulnerability in May 2023 and his “frustration” with the researchers’ decision to make the technical details public.
“It makes it trivial for the threat actors to adapt the payload and fix the vulnerability,” said Wosar, who predicted an updated Rhysida payload will surface within “a couple of days.”
He said that since he first discovered the encryption flaw, his team has helped restore hundreds of systems and recover petabytes of data, likely preventing roughly $100 million in ransom payments by working privately with victims and law enforcement.
He also noted French cybersecurity officials privately published a paper on the Rhysida vulnerability in June, and Avast independently discovered the flaw some months later.
Avast Malware Research Director Jakub Křoustek confirmed to SC Media that the company discovered the vulnerability in August 2023 and privately provided a free decryption tool to victims, allowing for the recovery of hundreds of thousands of files and restoration of large server infrastructures.
Křoustek said, in light of the public Rhysida decryptor release, Avast plans to publish its own tool alongside its other public decryptors in the coming days. He explained the deciding factors for making a decryption tool public or private, saying: “It heavily depends on the current situation, such as the level of activity of the particular ransomware strain, its target segment (consumer vs enterprise vs SMB), and other aspects.”
Enterprise victims are more likely to be aware of the private channels through which decryption tools can be accessed, compared with private end-users, who may benefit more from public decryptor releases, Křoustek noted.
Wosar also pointed out that the type of decryptor makes a difference, as decryptors that rely on leaked private keys are safer to release than those that rely on vulnerabilities the threat actors can subsequently patch.
He offered the example of CryptoDefense, a ransomware strain that in 2014 was discovered by Symantec to inadvertently leave private encryption keys behind on victim’s computers. Symantec publicized this discovery and, within 24 hours, the ransomware developer began spreading versions of CryptoDefense without this flaw, as noted in a 2014 Emsisoft blog post.
Wosar recommends that researchers who discover similar flaws in malware, rather than detailing them publicly, should privately reach out to law enforcement or fellow threat researchers like himself, in order to best deliver the tools to victims without tipping off threat actors.
“If you find a vulnerability within a ransomware family, keep it under wraps, inform authorities; let them help you get the tool to victims directly, which they are happy to do,” Wosar said.