South Korean researchers have found a way to recover files encrypted by the Rhysida ransomware, marking the first successful decryption of the Rhysida ransomware.
A team of experts from Kookmin University and the Korea Internet and Security Agency (KISA) discovered an “implementation vulnerability” related to the use of a cryptographically secure pseudo-random number generator (CSPRNG) by Rhysida ransomware to generate encryption keys.
“This generator employs a cryptographically secure algorithm to generate random numbers,” they stated. By exploiting an implementation flaw within this process, the researchers were able to reconstruct encryption keys, thereby decrypting the locked data.
The researchers have developed a recovery tool, which is now being distributed through KISA, providing affected individuals with a means to regain access to their encrypted data.
The Rhysida Ransomware-as-a-Service (RaaS), which emerged onto the scene in May 2023, swiftly became a significant ransomware threat, targeting various industries across the globe, including education, government, manufacturing, and technology, with a notable emphasis on healthcare and public health. The list of victims includes organizations across Europe, North and South America, Asia, and Australia.
In a recent high-profile incident, Rhysida orchestrated a cyber assault on the British Library, one of the world’s foremost libraries. The attackers took advantage of a vulnerability within the British Library’s VPN software, enabling them to circumvent the firewall and infiltrate the internal network.
While the exact location of Rhysida operators remains unknown, linguistic and temporal cues in their communications with victims point to a potential connection to Russia or the Commonwealth of Independent States (CIS). Furthermore, there are indications that Rhysida may have affiliations with the Vice Society ransomware group, known for its activities in 2021 targeting the education sector.