Good news for organisations who have fallen victim to the notorious Rhysida ransomware.
A group of South Korean security researchers have uncovered a vulnerability in the infamous ransomware. This vulnerability provides a way for encrypted files to be unscrambled.
Researchers from Kookmin University describe how they exploited an implementation flaw in Rhysida’s code to regenerate its encryption key in a technical paper about their findings.
“Rhysida ransomware employed a secure random number generator to generate the encryption key and subsequently encrypt the data. However, an implementation vulnerability existed that enabled us to regenerate the internal state of the random number generator at the time of infection. We successfully decrypted the data using the regenerated random number generator. To the best of our knowledge, this is the first successful decryption of Rhysida ransomware.”
In due course, a Rhysida ransomware recovery tool was developed and is being distributed to the general public through the Korea Internet and Security Agency (KISA).
English language instructions for using the decryption tool have also been made available.
Fortunately, for those who don’t understand Korean, English language instructions on how to use the decryption tool have been provided.
Unfortunately, making the existence of a ransomware recovery tool public does come at a cost. The release of the tool and the researchers’ publication of their findings will inevitably alert the malicious hackers behind Rhysida about its defect – and almost certainly ensure that it will be fixed.
Ransomware researchers are stuck between a rock and a hard place. If they find a flaw in a ransomware that allows them to decrypt victims’ data, they have to consider carefully whether they will make it public or not.
Announcing the existence of a flaw and method for recovery can help hacked organisations learn that there is a method to recover their data without paying a ransom.
Publicity helps spread the word that a solution is possible.
But the existence of a recovery tool can also tip off cybercriminals to fix their code, depriving victims of a potential cure. So is it better not to announce that a recovery tool exists at all?
It’s not a question with an easy answer.
The Rhysida decryptor is just the latest in a line of ransomware recovery tools that have appeared in recent years – including utilities to help the victims of the likes of Yanlouwang, MegaCortex, Akira, REvil, and a version of Conti.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of Tripwire.
About Author
