Table of Contents
The Breakthrough
The Rhysida ransomware used robust encryption methods such as AES and RSA. Such algorithms are renowned for their security and almost impervious to direct cracking attempts.
This level of security often leaves cybersecurity experts with few options, primarily focusing on intercepting or uncovering the encryption key through tactics like Man-in-the-Middle attacks or exploiting flaws in the software. And it was such a flaw in the implementation that the Korean security researchers identified in Rhysida.
The critical oversight by the Rhysida developers was their reliance on a pseudo-random number generator (PRNG) initialized with the system's current time. A PRNG, by its design, produces sequences of numbers that appear random. However, these sequences can become predictable if the PRNG is initialized with a predictable value.
The Korean researchers made use of this vulnerability by analyzing the creation times of the encrypted files stored in the file system. These timestamps provided an approximate indication of the system time at the onset of the encryption process. By methodically experimenting with these values, they could deduce the correct initialization value for the PRNG and therefore reconstruct the AES key used by the ransomware, allowing for the decryption and recovery of the original data.
It is important to contextualize the use of a PRNG in generating cryptographic keys: In a deterministic system like a computer, generating truly random numbers is inherently challenging, hence the reliance on PRNGs. However, the effectiveness of a PRNG in cryptographic applications lies in starting with a value that cannot be retrospectively deduced or reconstructed. Most systems provide special functions to ensure this level of randomness. Unfortunately for Rhysida but more beneficial to the world, the ransomware's choice of a predictable "random" value, such as the system time in seconds, stands out as a fundamental misstep in cryptographic engineering.
(More) Technical Analysis
The core of Rhysida ransomware used the LibTomCrypt library, a widely respected source in cryptographic circles. This choice exemplified its reliance on cryptographically secure pseudo-random number generators (CSPRNGs) to create its encryption key, which theoretically offers a high level of security when correctly implemented. In the case of LibTomCrypt, the ChaCha20 algorithm is provided.
However, the researchers discovered that the implementation in Rhysida used a 32-bit time value as a seed value and therefore presented a limited scope for exhaustive search, making it vulnerable to reverse engineering.
The seed value is a starting point for generating a series of random numbers. In practice, the encryption process of Rhysida ransomware involved generating 80 bytes of random numbers for each file it encrypted. Of these 80 bytes, the first 48 were used as the encryption key and the remainder as the initialization vector (IV).
Given that there are up to 2^32 possible seed values for the CSPRNG a brute force approach would be still computationally expensive. By analyzing the timestamps (creation times) of the encrypted files, the researchers approximate the system time when the encryption process started and this significantly reduced the number of potential seed values they needed to test, allowing them to more efficiently deduce the correct initialization value for the PRNG. Once they identified the correct seed value, they were able to reconstruct the keys used by the ransomware, enabling the decryption of the affected files (Kim et al., p. 7-8):
"Correct decryption of encrypted data relies on the encryption key used at the time of encryption. Therefore, if the correct encryption key is regenerated, one or more files will be decrypted correctly. By iteratively generating encryption keys with different seeds and identifying a file decrypted correctly using the key, we can conclude that we have found the initial seed. Furthermore, through analysis, the initial seed used by Rhysida ransomware is the time at the moment of encryption. Efficient retrieval of the initial seed involves examining integers smaller than mtime of files encrypted by Rhysida ransomware."
A key aspect of the decryption process involved analyzing the ransomware's method of encrypting files and the order in which it encrypted them:
-
AES Encryption: Rhysida ransomware used the AES-256-CTR (Counter) mode for encrypting the data. In this mode, an encryption key and an initialization vector (IV) are required. The ransomware generated 80 bytes of random numbers for each file it encrypted, with the first 48 bytes used as the AES encryption key and the IV.
-
RSA Encryption and OAEP Padding: After generating the AES key and IV, Rhysida ransomware used a hardcoded RSA-4096 public key to encrypt these elements. The RSA encryption employed the Optimal Asymmetric Encryption Padding (OAEP) technique, which is a method for securely encrypting plaintexts smaller than the RSA modulus. OAEP improves the security of the encryption process by introducing randomness and preventing certain types of cryptographic attacks.
-
CSPRNG in Key Generation: The AES encryption key, IV, and the OAEP padding elements were all generated using a cryptographically secure pseudo-random number generator (CSPRNG). The CSPRNG was based on the ChaCha20 algorithm provided by the LibTomCrypt library. It generated random numbers necessary for the encryption process, including the key and IV for AES and the random numbers used in the RSA OAEP padding process.
-
File Encryption Technique: In terms of the actual file encryption strategy, Rhysida ransomware employed intermittent encryption, encrypting certain parts of the file (e.g., the initial 1 MiB of each part for files larger than a certain size). This technique is in contrast to the whole encrypiton technique, which encrypts the entire file. The intermittent encryption technique gained popularity with the emergence of LockBit ransomware and can be implemented in various ways.
-
Storage of Encrypted Keys and IVs: After encrypting the data with AES and the encryption key and IV with RSA, the ransomware stored these RSA-encrypted elements at the end of each file. This added to the overall size of the encrypted file.
After understanding the encryption techniques and strategy, the team was able to decrypt the complete data set.
Conclusion
The successful decryption of Rhysida has profound implications for the global battle against cyber threats. The landscape of ransomware is constantly evolving, with attackers frequently innovating their methods. This case highlights the need for investment in cybersecurity and underscores the importance of detailed analysis and understanding of ransomware behaviors, which can reveal vulnerabilities. It might also inspire new approaches and techniques and pave the way for more proactive strategies.
🌟 Support My Quest
If the content within these pages has enriched your journey, consider showing your support by sharing a potion of coffee with me. Such a gesture, though small, is a mighty boon to my spirit and craft. It allows me to continue sharing the lore you hold dear.
Let it be known that the posts I pen are born from my own personal opinions and musings, presented before you in earnest, free of shadowed veils or hidden alliances. If you find truth and heart within my words, consider supporting me with a coffee. And believe me, as a father of two young spirits, this potion is indeed the elixir of my vigilance and creativity.
Beyond sharing my journey and insights, I craft customized solutions in the realm of tech to empower and fortify your own domains.
Comments
No comment on this post yet... Initiate the dialogue - be the first to illuminate this page with your thoughts!