Teacher
Professional
- Messages
- 2,669
- Reaction score
- 819
- Points
- 113
How did researchers from Seoul manage to solve the secret hacker cipher?
Cybersecurity experts have discovered an implementation vulnerability in the Rhysida ransomware that allowed them to recover encryption keys and decrypt data blocked by the malware. The discovery was published by a team of researchers from Seoul's Kunmin University in collaboration with the Korea Internet and Security Agency (KISA).
The study was the first successful case of decryption of this strain of ransomware, which appeared in May 2023. The data recovery tool is now available on the official KISA website.
In November 2023, the US government issued a warning about a group of Rhysida hackers attacking educational, industrial, information and government institutions.
The ransomware gang is known for its links to another group called the Vice Society, as well as its use of "double extortion" tactics, where victims are threatened to publish stolen data if they do not pay a ransom.
The researchers ' analysis showed that the proprietary Rhysida malware uses the LibTomCrypt library for encryption, as well as parallel processing and intermittent encryption to speed up the process of avoiding detection.
The encryption key generator is based on the ChaCha20 algorithm, which guarantees the cryptographic reliability of the generated random numbers. These numbers also depend on the malware launch time.
Despite all the complexity, the researchers were still able to restore the original decryption code, determine the order of file encryption, and restore the locked data. This discovery highlights that some ransomware programs can be successfully decrypted, and data can be recovered without paying a ransom. Although this rarely happens, it still happens.
Now it is reasonable to expect an updated malware from the Rhysida group, which will make the encryption process more sophisticated and complex, which will not allow researchers to crack it. Although who knows, maybe South Korean experts from Kunmin University will surprise us in the future.
Cybersecurity experts have discovered an implementation vulnerability in the Rhysida ransomware that allowed them to recover encryption keys and decrypt data blocked by the malware. The discovery was published by a team of researchers from Seoul's Kunmin University in collaboration with the Korea Internet and Security Agency (KISA).
The study was the first successful case of decryption of this strain of ransomware, which appeared in May 2023. The data recovery tool is now available on the official KISA website.
In November 2023, the US government issued a warning about a group of Rhysida hackers attacking educational, industrial, information and government institutions.
The ransomware gang is known for its links to another group called the Vice Society, as well as its use of "double extortion" tactics, where victims are threatened to publish stolen data if they do not pay a ransom.
The researchers ' analysis showed that the proprietary Rhysida malware uses the LibTomCrypt library for encryption, as well as parallel processing and intermittent encryption to speed up the process of avoiding detection.
The encryption key generator is based on the ChaCha20 algorithm, which guarantees the cryptographic reliability of the generated random numbers. These numbers also depend on the malware launch time.
Despite all the complexity, the researchers were still able to restore the original decryption code, determine the order of file encryption, and restore the locked data. This discovery highlights that some ransomware programs can be successfully decrypted, and data can be recovered without paying a ransom. Although this rarely happens, it still happens.
Now it is reasonable to expect an updated malware from the Rhysida group, which will make the encryption process more sophisticated and complex, which will not allow researchers to crack it. Although who knows, maybe South Korean experts from Kunmin University will surprise us in the future.
