Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

A Method for Decrypting Data Infected with Rhysida Ransomware

Giyoon Kim, Soojin Kang, Seungjun Baek, Kimoon Kim, Jongsung Kim

TL;DR

Problem: Rhysida ransomware encrypts data with a ChaCha20-based CSPRNG-derived key and a parallelized, often non-sequential file encryption order, complicating recovery. Approach: reverse-engineer the RNG implementation to reconstruct the internal state at infection, then recover keys and decryption order, enabling data restoration. Contributions: (i) identification of an implementation vulnerability enabling regeneration of the initial seed, (ii) a seed-search-based decryption workflow that leverages the 32-bit seed space $2^{32}$, (iii) methods to reconstruct file-encryption order from mtime, and (iv) a decryption pipeline that removes appended RSA-encrypted data and recovers plaintext. Findings: the approach yields successful decryption of Rhysida-encrypted data without attacker data. Significance: provides a practical path to mitigate Rhysida damage and informs future ransomware defenses.

Abstract

Ransomware is malicious software that is a prominent global cybersecurity threat. Typically, ransomware encrypts data on a system, rendering the victim unable to decrypt it without the attacker's private key. Subsequently, victims often pay a substantial ransom to recover their data, yet some may still incur damage or loss. This study examines Rhysida ransomware, which caused significant damage in the second half of 2023, and proposes a decryption method. Rhysida ransomware employed a secure random number generator to generate the encryption key and subsequently encrypt the data. However, an implementation vulnerability existed that enabled us to regenerate the internal state of the random number generator at the time of infection. We successfully decrypted the data using the regenerated random number generator. To the best of our knowledge, this is the first successful decryption of Rhysida ransomware. We aspire for our work to contribute to mitigating the damage inflicted by the Rhysida ransomware.

A Method for Decrypting Data Infected with Rhysida Ransomware

TL;DR

Problem: Rhysida ransomware encrypts data with a ChaCha20-based CSPRNG-derived key and a parallelized, often non-sequential file encryption order, complicating recovery. Approach: reverse-engineer the RNG implementation to reconstruct the internal state at infection, then recover keys and decryption order, enabling data restoration. Contributions: (i) identification of an implementation vulnerability enabling regeneration of the initial seed, (ii) a seed-search-based decryption workflow that leverages the 32-bit seed space , (iii) methods to reconstruct file-encryption order from mtime, and (iv) a decryption pipeline that removes appended RSA-encrypted data and recovers plaintext. Findings: the approach yields successful decryption of Rhysida-encrypted data without attacker data. Significance: provides a practical path to mitigate Rhysida damage and informs future ransomware defenses.

Abstract

Ransomware is malicious software that is a prominent global cybersecurity threat. Typically, ransomware encrypts data on a system, rendering the victim unable to decrypt it without the attacker's private key. Subsequently, victims often pay a substantial ransom to recover their data, yet some may still incur damage or loss. This study examines Rhysida ransomware, which caused significant damage in the second half of 2023, and proposes a decryption method. Rhysida ransomware employed a secure random number generator to generate the encryption key and subsequently encrypt the data. However, an implementation vulnerability existed that enabled us to regenerate the internal state of the random number generator at the time of infection. We successfully decrypted the data using the regenerated random number generator. To the best of our knowledge, this is the first successful decryption of Rhysida ransomware. We aspire for our work to contribute to mitigating the damage inflicted by the Rhysida ransomware.
Paper Structure (13 sections, 1 equation, 5 figures, 1 table)

This paper contains 13 sections, 1 equation, 5 figures, 1 table.

Table of Contents

  1. Introduction
  2. Our Contributions
  3. Paper Organization
  4. Related Work
  5. Analysis of Rhysida Ransomware
  6. Identification the factors for regenerating the encryption key
  7. Determination of the encryption target
  8. Data encryption process
  9. Decryption Methodology of Rhysida Ransomware
  10. Methods for regenerating the encryption keys
  11. Methods for reconstructing the order of file encryption
  12. Methods for decrypting encrypted data
  13. Conclusion

Figures (5)

  • Figure 1: CSPRNG initialize process
  • Figure 2: Rhysida ransomware file selection process when there are two processes on the PC
  • Figure 3: The intermittent encryption process of Rhysida ransomware
  • Figure 4: The process of obtaining the initial seed of the Rhysida ransomware
  • Figure 5: Decryption result of Rhysida ransomware