cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Researchers release free Rhysida Ransomware decryptor

South Korean researchers have developed free decryption methods for the Rhysida ransomware gang, providing relief to those whose data has been encrypted by the hacking group.

user icon Daniel Croft
Tue, 13 Feb 2024
Researchers release free Rhysida Ransomware decryptor
expand image

Researchers from Kookmin University, with the support of the Korea Internet and Security Agency (KISA), exploited vulnerabilities in Rhysida’s encryption methods to reconstruct the encryption key and use it to restore encrypted data.

“Rhysida ransomware employed a secure random number generator to generate the encryption key and subsequently encrypt the data,” said researchers Giyoon Kim, Soojin Kang, Seungjun Baek, Kimoon Kim and Jongsun Kim in a joint paper analysing Rhysida.

“However, an implementation vulnerability existed that enabled us to regenerate the internal state of the random number generator at the time of infection.


“We successfully decrypted the data using the regenerated random number generator. To the best of our knowledge, this is the first successful decryption of Rhysida ransomware.”

The researchers said this proves, “despite the prevailing belief that ransomware renders data irretrievable without paying the ransom”, that the decryption of data encrypted by threat actors is possible.

“We anticipate further studies in this direction to aid ransomware victims and that our findings will benefit those affected by the Rhysida ransomware,” they said.

Following this, the KISA has released a Rhysida decryption tool on its website, along with a user manual, all of which can be used for free by victims of the threat group.

The tool works by scanning for encrypted files and decrypting them automatically, creating new files with “_dec” added to the name to indicate decryption.

The KISA manual recommends users delete malware from their devices before decrypting to avoid re-encryption. It also says that 100 per cent decryption is unlikely and difficult.

Rhysida is a lesser-known ransomware group that has begun making a name for itself over the last six months.

The group claimed responsibility for the attack on the British Library back in November last year, which the library is still struggling to recover from, with some systems still down.

A month later, the threat actor attacked major video game developer Insomniac Games, the group responsible for the Spider-Man, Spyro and Wolverine titles, with the latter still under development.

The attack leaked the details of staff and developers, as well as screenshots and documents relating to the new title.

The group set a deadline for ransom to be paid, and it published 1.67 terabytes of stolen data minutes after the deadline passed.

Daniel Croft

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.

cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.