Researchers from Kookmin University researchers, supported by the KISA, shared a method to decrypt files infected by the Rhysida ransomware.
'Rhysida ransomware employed a secure random number generator to generate the encryption key and subsequently encrypt the data. However, an implementation vulnerability existed that enabled us to regenerate the internal state of the random number generator at the time of infection. We successfully decrypted the data using the regenerated random number generator', the researchers shared.
KISA posted the decryption tool and its manual on its website. The decryption process initiated by the tool involves searching for files affected by Rhysida Ransomware. It automatically decrypts these files, creating decrypted versions in the respective folders where the infected files were originally found. The decrypted files are named 'original file name_dec.' Additionally, upon completion of decryption, three text files containing file information are generated.