成功破解：韩国研究人员发布Rhysida勒索软件解密工具

Cybersecurity researchers have uncovered an "implementation vulnerability" that has made it possible to reconstruct encryption keys and decrypt data locked by Rhysida ransomware.

网络安全研究人员最近发现了一种“实施漏洞”，使得可以重建加密密钥并解密Rhysida勒索软件锁定的数据。

The findings were published last week by a group of researchers from Kookmin University and the Korea Internet and Security Agency (KISA).

这些研究结果是由韩国国民大学和韩国互联网与安全局 (KISA) 的研究人员于上周发布的。

"Through a comprehensive analysis of Rhysida Ransomware, we identified an implementation vulnerability, enabling us to regenerate the encryption key used by the malware," the researchers said.

研究人员表示：“通过对Rhysida勒索软件的全面分析，我们发现了一种实施漏洞，使我们能够重新生成该恶意软件使用的加密密钥。”

The development marks the first successful decryption of the ransomware strain, which first made its appearance in May 2023. A recovery tool is being distributed through KISA.

这一发现标志着首次成功解密该勒索软件变种，该勒索软件首次出现在2023年5月。韩国互联网与安全局正在通过分发一种“恢复工具”来应对该勒索软件。

The study is also the latest to achieve data decryption by exploiting implementation vulnerabilities in ransomware, after Magniber v2, Ragnar Locker, Avaddon, and Hive.

这项研究是继Magniber v2、Ragnar Locker、Avaddon和Hive等勒索软件之后，通过利用勒索软件的实施漏洞实现数据解密的最新成果。

Rhysida, which is known to share overlaps with another ransomware crew called Vice Society, leverages a tactic known as double extortion to apply pressure on victims into paying up by threatening to release their stolen data.

Rhysida勒索软件与另一种勒索软件团伙“副社会”存在重叠之处，利用一种称为“双重勒索”的策略，通过威胁发布被盗数据来向受害者施压，迫使其支付赎金。

An advisory published by the U.S. government in November 2023 called out the threat actors for staging opportunistic attacks targeting education, manufacturing, information technology, and government sectors.

美国政府于2023年11月发布的一份公告指出，威胁行为者对教育、制造业、信息技术和政府部门发动了机会主义攻击。

A thorough examination of the ransomware's inner workings has revealed its use of LibTomCrypt for encryption as well as parallel processing to speed up the process. It has also been found to implement intermittent encryption (aka partial encryption) to evade detection by security solutions.

对勒索软件的深入研究揭示了其使用LibTomCrypt进行加密以及并行处理加速处理过程的特点。同时，还发现其实施了间歇性加密（又称部分加密）以逃避安全解决方案的检测。

"Rhysida ransomware uses a cryptographically secure pseudo-random number generator (CSPRNG) to generate the encryption key," the researchers said. "This generator uses a cryptographically secure algorithm to generate random numbers."

研究人员表示：“Rhysida勒索软件使用一个具有密码学安全的伪随机数生成器（CSPRNG）来生成加密密钥。该生成器使用一个具有密码学安全算法的生成随机数。”

Specifically, the CSPRNG is based on the ChaCha20 algorithm provided by the LibTomCrypt library, with the random number generated also correlated to the time at which Rhysida ransomware is running.

具体而言，这个CSPRNG基于LibTomCrypt库提供的ChaCha20算法，同时生成的随机数还与Rhysida勒索软件运行的时间相关。

The predictability of the random number notwithstanding, the main process of Rhysida ransomware compiles a list of files to be encrypted, which is subsequently referenced by various threads created to simultaneously encrypt the files in a specific order.

尽管随机数的可预测性，Rhysida勒索软件的主要过程编制了一个要加密的文件列表，随后各个线程引用该列表以特定顺序同时加密文件。

"In the encryption process of the Rhysida ransomware, the encryption thread generates 80 bytes of random numbers when encrypting a single file," the researchers noted. "Of these, the first 48 bytes are used as the encryption key and the [initialization vector]."

研究人员指出：“在Rhysida勒索软件的加密过程中，加密线程在加密单个文件时生成80字节的随机数。其中，前48字节用作加密密钥和[初始化向量]。”

Using these observations as reference points, the researchers said they were able to retrieve the initial seed for decrypting the ransomware, determine the "randomized" order in which the files were encrypted, and ultimately recover the data without having to pay a ransom.

基于这些观察结果，研究人员表示他们能够检索解密该勒索软件的初始种子，确定文件加密的“随机”顺序，并最终恢复数据而无需支付赎金。

"Although these studies have a limited scope, it is important to acknowledge that certain ransomwares [...] can be successfully decrypted," the researchers concluded.

研究人员总结道：“尽管这些研究的范围有限，但重要的是要认识到某些勒索软件是可以成功解密的。”

更新

Following the publication of the story, security researcher Fabian Wosar said that the weaknesses were found by "at least three other parties, who chose to circulate it in private instead of seeking publication and alerting Rhysida about their problem."

在该报道发布后，安全研究人员Fabian Wosar表示，有“至少三个其他方”发现了这些漏洞，但他们选择私下传播而不是寻求发布和通知Rhysida有关他们的问题。

"Avast found it in October last year, the French CERT authored and published a private paper about it in June, and I found the vulnerability in May last year," Wosar said. "I don't know about the Avast and CERT data, but we [have] decrypted hundreds of systems since then."

Wosar表示：“Avast在去年10月发现了它，法国国家计算机应急处理小组在去年6月撰写并发布了一篇私人论文，而我在去年5月发现了这个漏洞。自那时以来，我们已经解密了数百个系统。”

"Also, a word of caution: The paper only applies to the Windows PE version of the Rhysida ransomware. It does not apply to the ESXi or the PowerShell payload."

他还警告道：“请注意：这篇论文只适用于Rhysida勒索软件的Windows PE版本，不适用于ESXi或PowerShell负载。”

原文始发于微信公众号（知机安全）：成功破解：韩国研究人员发布Rhysida勒索软件解密工具