Read at Theregister
Researchers from South Korea have uncovered a vulnerability in the random number generator used by the Rhysida ransomware, allowing them to decrypt victims' data. This vulnerability enabled the researchers to regenerate the random number generator at the time of infection and decrypt the data. The Korea Internet and Security Agency (KISA) has released a free recovery tool to help victims of the Rhysida ransomware.
"We aspire for our work to contribute to mitigating the damage inflicted by the Rhysida ransomware," the researchers noted.
The Rhysida ransomware targets organizations in education, healthcare, manufacturing, information technology, and government sectors. It is thought to be linked to the Vice Society criminal group and is known to lease out malware and infrastructure to affiliates. The random number generator used by Rhysida is based on the ransomware's time of execution, which limits the possible combinations for each encryption key.
"Rhysida ransomware uses LibTomCrypt's ChaCha20-based CSPRNG to create encryption keys for each file," the researchers explained.