For organizations affected by the infamous Rhysida ransomware, there is good news.
A flaw in the infamous ransomware has been found by a team of South Korean security researchers. This flaw makes it possible to unscramble encrypted files.
In a technical paper describing their findings, researchers from Kookmin University explain how they regenerated Rhysida’s encryption key by taking advantage of an implementation flaw in the code.
” Rhysida ransomware created the encryption key and then encrypted the data using a secure random number generator.” However, there was a flaw in the implementation that allowed us to quickly restore the random number generator’s internal state after infection. Using the regenerated random number generator, we were able to successfully decrypt the data. This is the first successful Rhysida ransomware decryption that we are aware of.
The Korea Internet and Security Agency (KISA ) is currently distributing a Rhysida ransomware recovery tool to the general public.
The decryption tool’s English language usage instructions are also available.
Fortunately, English language instructions for using the decryption tool have been made available for those who do not speak Korean.
Unfortunately, publicizing the existence of a ransomware recovery tool has its drawbacks. The malicious hackers responsible for Rhysida will undoubtedly be made aware of the tool’s flaw when it is released and when the researchers publish their findings, almost certainly guaranteeing that it will be fixed.
Researchers studying ransomware are caught in a difficult situation. They must carefully decide whether or not to make a ransomware flaw that enables them to decrypt victims ‘ data public.
Hacked organizations can learn that there is a way to recover their data without having to pay for it by making the flaw and recovery process public.
Publicity aids in promoting the possibility of a solution.
However, having a recovery tool can also deter cybercriminals from repairing their code and denying victims access to treatment. Is it therefore preferable to remain silent about the existence of a recovery tool?
It’s not a simple question to answer.
The Rhysida decryptor is the most recent in a line of recently released ransomware recovery tools, including utilities to assist Yanlouwang, MegaCortex, Akira, REvil, and Conti victims.
Editor’s Note: Tripwire does not necessarily share the opinions expressed in this guest author article; they are solely those of the contributor.