www.helpnetsecurity.com
Open in
urlscan Pro
54.148.174.253
Public Scan
URL:
https://www.helpnetsecurity.com/2024/02/12/rhysida-ransomware-decryptor/
Submission: On February 13 via api from TR — Scanned from DE
Submission: On February 13 via api from TR — Scanned from DE
Form analysis
1 forms found in the DOMPOST
<form id="mc4wp-form-1" class="mc4wp-form mc4wp-form-244483 mc4wp-ajax" method="post" data-id="244483" data-name="Footer newsletter form">
<div class="mc4wp-form-fields">
<div class="hns-newsletter">
<div class="hns-newsletter__top">
<div class="container">
<div class="hns-newsletter__wrapper">
<div class="hns-newsletter__title">
<i>
<svg class="hic">
<use xlink:href="#hic-plus"></use>
</svg>
</i>
<span>Cybersecurity news</span>
</div>
</div>
</div>
</div>
<div class="hns-newsletter__bottom">
<div class="container">
<div class="hns-newsletter__wrapper">
<div class="hns-newsletter__body">
<div class="row">
<div class="col">
<div class="form-check form-control-lg">
<input class="form-check-input" type="checkbox" name="_mc4wp_lists[]" value="520ac2f639" id="mcs1">
<label class="form-check-label text-nowrap" for="mcs1">Daily Newsletter</label>
</div>
</div>
<div class="col">
<div class="form-check form-control-lg">
<input class="form-check-input" type="checkbox" name="_mc4wp_lists[]" value="d2d471aafa" id="mcs2">
<label class="form-check-label text-nowrap" for="mcs2">Weekly Newsletter</label>
</div>
</div>
</div>
</div>
<div class="form-check form-control-lg mb-3">
<input class="form-check-input" type="checkbox" name="_mc4wp_lists[]" value="28abe5d9ef" id="mcs3">
<label class="form-check-label" for="mcs3">(IN)SECURE - monthly newsletter with top articles</label>
</div>
<div class="input-group mb-3">
<input type="email" name="email" id="email" class="form-control border-dark" placeholder="Please enter your e-mail address" aria-label="Please enter your e-mail address" aria-describedby="hns-newsletter-submit-btn" required="">
<button class="btn btn-dark rounded-0" type="submit" id="hns-newsletter-submit-btn">Subscribe</button>
</div>
<div class="form-check">
<input class="form-check-input" type="checkbox" name="AGREE_TO_TERMS" value="1" id="mcs4" required="">
<label class="form-check-label" for="mcs4">
<span>I have read and agree to the <a href="https://www.helpnetsecurity.com/newsletter/" target="_blank" rel="noopener" class="d-inline-block">terms & conditions</a>
</span>
</label>
</div>
</div>
</div>
</div>
</div>
</div><label style="display: none !important;">Leave this field empty if you're human: <input type="text" name="_mc4wp_honeypot" value="" tabindex="-1" autocomplete="off"></label><input type="hidden" name="_mc4wp_timestamp"
value="1707790064"><input type="hidden" name="_mc4wp_form_id" value="244483"><input type="hidden" name="_mc4wp_form_element_id" value="mc4wp-form-1">
<div class="mc4wp-response"></div>
</form>
Text Content
* News * Features * Expert analysis * Videos * Events * Whitepapers * Industry news * Product showcase * Newsletters * * * Please turn on your JavaScript for this page to function normally. Zeljka Zorz, Editor-in-Chief, Help Net Security February 12, 2024 Share DECRYPTOR FOR RHYSIDA RANSOMWARE IS AVAILABLE! Files encrypted by Rhysida ransomware can be successfully decrypted, due to a implementation vulnerability discovered by Korean researchers and leveraged to create a decryptor. RHYSIDA AND ITS RANSOMWARE Rhysida is a relatively new ransomware-as-a-service gang that engages in double extortion. First observed in May 2023, it made its name by attacking the British Library, the Chilean Army, healthcare delivery organizations, and Holding Slovenske Elektrarne (HSE). According to Check Point Research, the Rhysida ransomware group may simply be the Vice Society hacking group armed with new ransomware. “The [Rhysida] ransomware encrypts data using a 4096-bit RSA encryption key with a ChaCha20 algorithm. The algorithm features a 256-bit key, a 32-bit counter, and a 96-bit nonce along with a four-by-four matrix of 32-bit words in plain text,” the Cybersecurity and Infrastructure Security Agency noted in a cybersecurity advisory published in November 2023. MAKING THE RHYSIDA RANSOMWARE DECRYPTOR “Decrypting data encrypted using a symmetric-key cryptographic algorithm requires the encryption key used in the process. Since encryption keys can be generated in various methods, it is important to identify the factors used by ransomware in the key generation process during data encryption,” researchers Giyoon Kim, Soojin Kang, Seungjun Baek and Jongsung Kim from Kookmin University in Seul and Kimoon Kim from the Korea Internet & Security Agency (KISA) explained. As other researchers before them, they established that Rhysida ransomware uses the open-source cryptographic library LibTomCrypt for its encryption routine, and its pseudorandom number generator (PRNG) functionalities for both key and initialisation vector (IV) generation. After a thorough analysis of the ransomware, they found that: * The random number generated by the PRNG is based on the execution time of the Rhysida ransomware * They could determine the (randomized) order of files for encryption * Rhysida’s encryption thread generates 80 bytes of random numbers when encrypting a single file, the first 48 bytes of which are used as the encryption key and the IV With that information in hand, they were able to create a recovery tool. “To the best of our knowledge, this is the first successful decryption of Rhysida ransomware. We aspire for our work to contribute to mitigating the damage inflicted by the Rhysida ransomware,” the researchers noted. More about * Check Point * CISA * decrypter * enterprise * KISA * ransomware Share FEATURED NEWS * Critical Fortinet FortiOS flaw exploited in the wild (CVE-2024-21762) * Decryptor for Rhysida ransomware is available! * Integrating cybersecurity into vehicle design and manufacturing Whitepaper: Why Microsoft’s password protection is not enough SPONSORED * Whitepaper: Why Microsoft’s password protection is not enough * eBook: Defending the Infostealer Threat * Guide: SaaS Offboarding Checklist DON'T MISS * Critical Fortinet FortiOS flaw exploited in the wild (CVE-2024-21762) * Decryptor for Rhysida ransomware is available! * Integrating cybersecurity into vehicle design and manufacturing * Hacking the flow: The consequences of compromised water systems * SiCat: Open-source exploit finder Cybersecurity news Daily Newsletter Weekly Newsletter (IN)SECURE - monthly newsletter with top articles Subscribe I have read and agree to the terms & conditions Leave this field empty if you're human: © Copyright 1998-2024 by Help Net Security Read our privacy policy | About us | Advertise Follow us ×