Cybersecurity researchers from Kookmin University and the Korea Internet and Security Agency (KISA) discovered an implementation vulnerability in the source code of the Rhysida ransomware.
The experts exploited the vulnerability to reconstruct encryption keys and developed a decryptor that allows victims of the Rhysida ransomware to recover their encrypted data for free.
“This study examines Rhysida ransomware, which caused significant damage in the second half of 2023, and proposes a decryption method. Rhysida ransomware employed a secure random number generator to generate the encryption key and subsequently encrypt the data. However, an implementation vulnerability existed that enabled us to regenerate the internal state of the random number generator at the time of infection.” reads the paper published by the researchers “We successfully decrypted the data using the regenerated random number generator. To the best of our knowledge, this is the first successful decryption of Rhysida ransomware.”
The implementation vulnerability resides in the encryption scheme implemented by the ransomware, specifically, the random number generator (CSPRNG).
The CSPRNG is used to generate the encryption key, which is unique for each attack.
“The random number generator takes a seed as input, sets it as the initial internal state, and generates a sequence of random numbers according to a defined rule. Therefore, if we can identify the initial internal state, regenerating the random number becomes feasible.” reads the paper.
By exploiting the flaw, the researchers demonstrated that is possible to recover the internal state of CSPRNG and use it to create a key to decrypt the data.
The Rhysida ransomware uses CSPRNG, which is based on the ChaCha20 algorithm provided by the LibTomCrypt library.
The researchers noticed that the random number generated by the CSPRNG is based on the execution time of the ransomware. The time value used as a seed is 32-bit data, which implies that the number of possible cases of CSPRNG is up to 2^32.”
The experts also discovered that the ransomware manages a list of files that it is going to encrypt. The ransomware uses various concurrent threads that encrypt the files in a specific order.
“In the encryption process of the Rhysida ransomware, the encryption thread generates 80 bytes of random numbers when encrypting a single file. Of these, the first 48 bytes are used as the encryption key and the Initial Vector.” continues the paper.
Based on these observations, the researchers successfully obtained the initial seed for decrypting the ransomware, identified the order used to encrypt the files, and ultimately restored the data without paying any ransom.
“By exploiting these vulnerabilities, we managed to reconstruct the encryption key and recover the encrypted system. This challenges the common belief that ransomware makes data irretrievable without fulfilling the ransom demand. While these findings are based on a limited scope, it is crucial to recognize that certain ransomwares, as demonstrated in this paper, can indeed be successfully decrypted.” concludes the paper.
The Rhysida ransomware group has been active since May 2023. According to the gang’s Tor leak site, at least 62 companies are victims of the operation.
The ransomware gang hit organizations in multiple industries, including the education, healthcare, manufacturing, information technology, and government sectors. The victims of the group are “targets of opportunity.”
In December 2023, FBI and CISA published a joint Cybersecurity Advisory (CSA) to warn of Rhysida ransomware attacks. The advisory is part of the ongoing #StopRansomware effort, disseminating information about tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with ransomware groups.
The report includes IOCs and TTPs identified through investigations as recently as September 2023.
Rhysida actors leverage external-facing remote services (e.g. VPNs, RDPs) to gain initial access to the target network and maintain persistence. The group relied on compromised credentials to authenticate to internal VPN access points. According to the advisory, the threat actors have exploited Zerologon (CVE-2020-1472) in Microsoft’s Netlogon Remote Protocol in phishing attempts.
The group relies on living off-the-land techniques such as native (built into the operating system) network administration tools to perform malicious operations.
(SecurityAffairs – Hacking, ransomware)