Threat Research

Decrypted: Rhysida Ransomware

GenDigital

Avast Threat Labs identified a cryptographic vulnerability in Rhysida ransomware and quietly helped victims with a decryptor in collaboration with law enforcement. Following public disclosure of the weakness, the decryptor is now released to all Rhysida victims, with Rhysida having affected 78 organizations across IT, healthcare, universities, and government sectors as of February 2024. #Rhysida #AvastThreatLabs

Keypoints

  • Avast Threat Labs discovered a cryptographic vulnerability in Rhysida and privately assisted victims with a decryptor, working with law enforcement.
  • After the vulnerability was publicly disclosed, the decryptor was released for use by all Rhysida victims.
  • Rhysida has been active since May 2023; by Feb 2024, 78 attacked companies across IT, healthcare, universities, and government sectors were listed on its TOR site.
  • Using the decryptor depends on several PC-specific factors and strict rules, including running the tool on the same machine that was encrypted and performing password cracking on that same machine.
  • The decryptor defaults to 64-bit mode but can be switched to 32-bit with /ptr:32; a testing mode (/nodecrypt) allows verification without changing files.
  • Common file formats are supported, with contact for additional formats at [email protected].

MITRE Techniques

  • [T1486] Data Encrypted for Impact – The ransomware encrypts files to deny access; the decryptor notes that encryption exists and must be addressed, e.g. β€˜The decryptor must be executed on the same machine where the files were encrypted.’
  • [T1110] Brute Force – The decryptor workflow includes a password cracking step; β€˜The next page is where the password cracking process takes place.’

Indicators of Compromise

  • [URL] Decryptor download and related resources – https://files.avast.com/files/decryptor/avast_decryptor_rhysida.exe, and https://decoded.avast.io/threatresearch/decrypted-rhysida-ransomware/
  • [File] Decryptor binary – avast_decryptor_rhysida.exe
  • [Domain] Avast-related hosting domains – decoded.avast.io, files.avast.com
  • [Email] Contact for additional formats – [email protected]

Read more: https://decoded.avast.io/threatresearch/decrypted-rhysida-ransomware/