Researchers unveil method to decrypt Rhysida ransomware files
The decryption tool is publicly available on the website of the Korea Internet & Security Agency (KISA).
Researchers from Kookmin University researchers, supported by the KISA, shared a method to decrypt files infected by the Rhysida ransomware.
‘Rhysida ransomware employed a secure random number generator to generate the encryption key and subsequently encrypt the data. However, an implementation vulnerability existed that enabled us to regenerate the internal state of the random number generator at the time of infection. We successfully decrypted the data using the regenerated random number generator’, the researchers shared.
KISA posted the decryption tool and its manual on its website. The decryption process initiated by the tool involves searching for files affected by Rhysida Ransomware. It automatically decrypts these files, creating decrypted versions in the respective folders where the infected files were originally found. The decrypted files are named ‘original file name_dec.’ Additionally, upon completion of decryption, three text files containing file information are generated.
About author
DW Team
The GIP Digital Watch Observatory team, consisting of over 30 digital policy experts from around the world, excels in the fields of research and analysis on digital policy issues. The team is backed by the creative prowess of Creative Lab Diplo and the technical expertise of the Diplo tech team.