Giyoon Kim , Soojin Kang , Seungjun Baek , Kimoon Kim , Jongsung Kim
{"title":"How to decrypt files encrypted by Rhysida ransomware without the attacker’s private key","authors":"Giyoon Kim , Soojin Kang , Seungjun Baek , Kimoon Kim , Jongsung Kim","doi":"10.1016/j.cose.2025.104340","DOIUrl":null,"url":null,"abstract":"<div><div>Ransomware is malicious software that is a prominent global cybersecurity threat. It typically encrypts data in a system, rendering victims unable to decrypt it without the attacker’s private key. Subsequently, victims often pay substantial ransoms to regain access to their data, yet some may still suffer damage or loss. This study examines Rhysida ransomware, which caused significant damage in the second half of 2023, and proposes a decryption method. Rhysida ransomware employed a secure random number generator to generate the encryption keys for data encryption. However, a vulnerability in its implementation enabled us to reconstruct the internal state of the random number generator, resulting in the disclosure of the encryption keys. In a practical time, we successfully decrypted the data infected with Rhysida using the regenerated state. To the best of our knowledge, this is the first successful decryption of data infected by Rhysida. We aim for our findings to contribute to mitigating the harm inflicted by the Rhysida ransomware.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"151 ","pages":"Article 104340"},"PeriodicalIF":4.8000,"publicationDate":"2025-01-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Security","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S016740482500029X","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}
引用次数: 0
Abstract
Ransomware is malicious software that is a prominent global cybersecurity threat. It typically encrypts data in a system, rendering victims unable to decrypt it without the attacker’s private key. Subsequently, victims often pay substantial ransoms to regain access to their data, yet some may still suffer damage or loss. This study examines Rhysida ransomware, which caused significant damage in the second half of 2023, and proposes a decryption method. Rhysida ransomware employed a secure random number generator to generate the encryption keys for data encryption. However, a vulnerability in its implementation enabled us to reconstruct the internal state of the random number generator, resulting in the disclosure of the encryption keys. In a practical time, we successfully decrypted the data infected with Rhysida using the regenerated state. To the best of our knowledge, this is the first successful decryption of data infected by Rhysida. We aim for our findings to contribute to mitigating the harm inflicted by the Rhysida ransomware.
期刊介绍:
Computers & Security is the most respected technical journal in the IT security field. With its high-profile editorial board and informative regular features and columns, the journal is essential reading for IT security professionals around the world.
Computers & Security provides you with a unique blend of leading edge research and sound practical management advice. It is aimed at the professional involved with computer security, audit, control and data integrity in all sectors - industry, commerce and academia. Recognized worldwide as THE primary source of reference for applied research and technical expertise it is your first step to fully secure systems.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
