Rhysida Ransomware Cracked: Decryption Key Found

Cybersecurity specialists have identified a vulnerability in the implementation of the Rhysida ransomware, which allowed the decryption keys to be recovered and the data locked by the malware to be decrypted. This discovery was published by a research group from Seoul’s Kummin University in collaboration with the Korean Internet and Security Agency (KISA).

This study marks the first successful decryption of this ransomware strain, which emerged in May 2023. A tool for data recovery is now available on the official KISA website.

In November 2023, the U.S. government issued a warning about the Rhysida hacker group, targeting educational, manufacturing, information technology, and government institutions.

Royal Ransomware

This ransomware gang is known for its connections with another group called Vice Society and for employing a double extortion tactic, where victims are threatened with the publication of stolen data if they fail to pay the ransom.

The researchers’ analysis revealed that Rhysida’s proprietary malware uses the LibTomCrypt library for encryption, along with parallel processing and intermittent encryption to speed up the process and avoid detection.

The encryption key generator is based on the ChaCha20 algorithm, ensuring the cryptographic reliability of the generated random numbers. These numbers also depend on the time the malware was launched.

Despite its complexity, the researchers were able to recover the original decryption seed, determine the order of file encryption, and restore the locked data. This discovery underscores that some ransomware programs can be successfully decrypted, and data can be recovered without paying a ransom. While such occurrences are rare, they do happen.

It is now reasonable to expect the Rhysida group to release an updated malware that makes the encryption process more sophisticated and complex, preventing researchers from cracking it. However, who knows, perhaps the South Korean experts from Kummin University will surprise us again in the future.