BLOG Cracking Rhysida: Decrypting Ransomware
David Schmid

Ransomware is malicious software that is a prominent global cybersecurity threat. These malicious attacks encrypt victims' data, making it inaccessible without a decryption key, which typically comes at a steep price. Despite ongoing efforts to improve digital defenses, ransomware attacks continue to spread, with victims often left with little choice but to pay the demanded ransom. In the second half of 2023, the Rhysida ransomware caused significant damage, including a notable breach at the British Library and several healthcare institutions like King Edward VII's Hospital.

However, a team of South Korean researchers led by Giyoon Kim, Soojin Kang, Seungjun Baek, and Jongsung Kim, has achieved a significant breakthrough by developing a decryption tool, thereby mitigating the damage inflicted by the Rhysida ransomware.

Main Image Blog Article Cracking Rhysida

Table of Contents

The Breakthrough

The Rhysida ransomware used robust encryption methods such as AES and RSA. Such algorithms are renowned for their security and almost impervious to direct cracking attempts.

This level of security often leaves cybersecurity experts with few options, primarily focusing on intercepting or uncovering the encryption key through tactics like Man-in-the-Middle attacks or exploiting flaws in the software. And it was such a flaw in the implementation that the Korean security researchers identified in Rhysida.

The critical oversight by the Rhysida developers was their reliance on a pseudo-random number generator (PRNG) initialized with the system's current time. A PRNG, by its design, produces sequences of numbers that appear random. However, these sequences can become predictable if the PRNG is initialized with a predictable value.

The Korean researchers made use of this vulnerability by analyzing the creation times of the encrypted files stored in the file system. These timestamps provided an approximate indication of the system time at the onset of the encryption process. By methodically experimenting with these values, they could deduce the correct initialization value for the PRNG and therefore reconstruct the AES key used by the ransomware, allowing for the decryption and recovery of the original data.

It is important to contextualize the use of a PRNG in generating cryptographic keys: In a deterministic system like a computer, generating truly random numbers is inherently challenging, hence the reliance on PRNGs. However, the effectiveness of a PRNG in cryptographic applications lies in starting with a value that cannot be retrospectively deduced or reconstructed. Most systems provide special functions to ensure this level of randomness. Unfortunately for Rhysida but more beneficial to the world, the ransomware's choice of a predictable "random" value, such as the system time in seconds, stands out as a fundamental misstep in cryptographic engineering.

(More) Technical Analysis

The core of Rhysida ransomware used the LibTomCrypt library, a widely respected source in cryptographic circles. This choice exemplified its reliance on cryptographically secure pseudo-random number generators (CSPRNGs) to create its encryption key, which theoretically offers a high level of security when correctly implemented. In the case of LibTomCrypt, the ChaCha20 algorithm is provided.

However, the researchers discovered that the implementation in Rhysida used a 32-bit time value as a seed value and therefore presented a limited scope for exhaustive search, making it vulnerable to reverse engineering.

The seed value is a starting point for generating a series of random numbers. In practice, the encryption process of Rhysida ransomware involved generating 80 bytes of random numbers for each file it encrypted. Of these 80 bytes, the first 48 were used as the encryption key and the remainder as the initialization vector (IV).

Given that there are up to 2^32 possible seed values for the CSPRNG a brute force approach would be still computationally expensive. By analyzing the timestamps (creation times) of the encrypted files, the researchers approximate the system time when the encryption process started and this significantly reduced the number of potential seed values they needed to test, allowing them to more efficiently deduce the correct initialization value for the PRNG. Once they identified the correct seed value, they were able to reconstruct the keys used by the ransomware, enabling the decryption of the affected files (Kim et al., p. 7-8):

"Correct decryption of encrypted data relies on the encryption key used at the time of encryption. Therefore, if the correct encryption key is regenerated, one or more files will be decrypted correctly. By iteratively generating encryption keys with different seeds and identifying a file decrypted correctly using the key, we can conclude that we have found the initial seed. Furthermore, through analysis, the initial seed used by Rhysida ransomware is the time at the moment of encryption. Efficient retrieval of the initial seed involves examining integers smaller than mtime of files encrypted by Rhysida ransomware."

Figure paper kim ea on decrypting Rhysida
Figure: Kim et al. p. 8, figure 4: The process of obtaining the initial seed of the Rhysica ransomware.

A key aspect of the decryption process involved analyzing the ransomware's method of encrypting files and the order in which it encrypted them:

After understanding the encryption techniques and strategy, the team was able to decrypt the complete data set.

Conclusion

The successful decryption of Rhysida has profound implications for the global battle against cyber threats. The landscape of ransomware is constantly evolving, with attackers frequently innovating their methods. This case highlights the need for investment in cybersecurity and underscores the importance of detailed analysis and understanding of ransomware behaviors, which can reveal vulnerabilities. It might also inspire new approaches and techniques and pave the way for more proactive strategies.

🌟 Support My Quest

If the content within these pages has enriched your journey, consider showing your support by sharing a potion of coffee with me. Such a gesture, though small, is a mighty boon to my spirit and craft. It allows me to continue sharing the lore you hold dear.

☕ Buy Me a Coffee

Let it be known that the posts I pen are born from my own personal opinions and musings, presented before you in earnest, free of shadowed veils or hidden alliances. If you find truth and heart within my words, consider supporting me with a coffee. And believe me, as a father of two young spirits, this potion is indeed the elixir of my vigilance and creativity.

Beyond sharing my journey and insights, I craft customized solutions in the realm of tech to empower and fortify your own domains.

🔍 Discover my services

Further Reading

Comments

No comment on this post yet... Initiate the dialogue - be the first to illuminate this page with your thoughts!

Leave a Comment

Please preserve the rules of respect and avoid any shadow that might fall upon the realm. Keep your discourse pure and use simple characters. Your scroll shall contain no more than a thousand characters.

Only the worthy may share their wisdom beneath the sacred tree of insight. To prove yourself a true hero and not a shadowy automation, solve this puzzle:

captcha