Security News > 2024 > February > Korean eggheads crack Rhysida ransomware and release free decryptor tool

Korean eggheads crack Rhysida ransomware and release free decryptor tool
2024-02-13 01:47

Some smart folks have found a way to automatically unscramble documents encrypted by the Rhysida ransomware, and used that know-how to produce and release a handy recovery tool for victims.

Rhysida is a newish ransomware gang that has been around since May last year.

In research [PDF] published February 9, South Korea's Giyoon Kim, Soojin Kang, Seungjun Baek, Kimoon Kim, and Jongsung Kim explained how they uncovered an "Implementation vulnerability" in the random number generator used by Rhysida to lock up victims' data.

The Korea Internet and Security Agency is now distributing the free Rhysida ransomware recovery tool which is the first successful decryptor of this particular strain of ransomware.

Rhysida ransomware uses LibTomCrypt's ChaCha20-based cryptographically secure pseudo-random number generator to create encryption keys for each file.

Some additional observations: the Rhysida ransomware uses intermittent encryption.


News URL

https://go.theregister.com/feed/www.theregister.com/2024/02/13/rhysida_ransomware_decrypted/