A group of researchers has released a free recovery tool for data encrypted by Rhysida ransomware.
The Rhysida ransomware variant appeared towards the beginning of 2023 and spread quickly, primarily targeting education, healthcare, manufacturing, government, and information technology (IT) sectors. The decryption tool exploits a vulnerability in the malware’s code.
The tool can be downloaded from the researchers’ website. Note: The website is written in Korean, though the user manual for the decryption tool is available in English. Datarecovery.com has not tested this ransomware decryption tool, and we strongly recommend cloning affected storage devices prior to using any type of recovery software.
“Rhysida ransomware employed a secure random number generator to generate the encryption key and subsequently encrypt the data,” the researchers wrote. “However, an implementation vulnerability existed that enabled us to regenerate the internal state of the random number generator at the time of infection.”
“We successfully decrypted the data using the regenerated random number generator. To the best of our knowledge, this is the first successful decryption of Rhysida ransomware.”
Rhysida Ransomware: A Brief Overview
Rhysida actors frequently access victims’ systems by leveraging external-facing remote services (for example, virtual private networks). CISA notes that Rhysida actors have been observed using compromised valid credentials and exploiting Zerologon, “a critical elevation of privileges vulnerability in Microsoft’s Netlogon Remote Protocol.”
Rhysida actors have been observed creating two folders in the C:\ drive labeled in and out, which are utilized to deploy executables and scripts.
The ransomware encrypts data using a 4096-bit RSA encryption key with a ChaCha20 algorithm. However, their approach isn’t truly random — which allowed the research group to generate decryption keys.
It’s likely that Rhysida will be updated to correct the vulnerability, which would prevent the decryption tool from working on future variants. For the time being, however, Rhysida victims have a recovery option that doesn’t involve paying ransoms (which isn’t a good idea in any case — and as we’ve noted in other articles, paying for ransomware is often illegal).
Related: Paying Ransom Doesn’t Restore Data for 25% of Ransomware Victims
Ransomware Recovery and Dark Web Monitoring
Datarecovery.com provides expert resources for recovering from ransomware infection, along with solutions for limiting the organizational impact of a targeted attack.
Our experts have decades of combined experience with ransomware, and through investments in research & development, we provide a comprehensive solution for avoiding — and recovering from — ransomware attacks.
To learn more, call 1-800-237-4200 and ask to speak with a ransomware specialist or submit a case online.