Rhysida, one of the most active ransomware in 2023 according to the company Coveware, had an achilles heel. We have just learned that several companies and organizations, including the Anssi Computer Attack Monitoring, Alert and Response Center (CERT-FR), had identified a flaw making it possible to decrypt files passed to the ransomware spinner.
This is what has just been revealed Fabian Wosar, the head of ransomware research at Emsisoft. According to the timeline he published on
Hundreds of systems decrypted
Still according to his statements, the CERT-FR then published a private report during the month of June. Finally, in October, the company Avast also identified the vulnerability. “I don’t know the data from Avast and CERT-FR, but we have since deciphered hundreds of systems,” Fabian Wosar said about his employer’s action.
In a post, Avast specifies that it identified the cryptographic vulnerability in August 2023. Although the company then published a technical analysis of the malware in October, it intentionally kept its discovery silent, reserving it for ransomware victims. As of February, this gang specializing in extortion lists around 80 victim organizations on its TOR site.
Martinique targeted
A secret that no longer exists since the publication, by five South Korean researchers, of an article on a vulnerability in Rhysida’s encryption. One way, they explain, to help “mitigate the damage inflicted by Rhysida ransomware”. Their announcement was, however, freshly received: by publishing their discovery, they in fact alerted cybercriminals.
“It will probably take a few weeks to know if the Rhysida gang has fixed this bug, but they very probably will,” summarizes the specialized newsletter Risky Biz news, unless they abandon this malicious program to launch a new franchise. In France, the local authority of Martinique was the victim of this gang with an attack recorded in mid-May.
However, it is unknown whether the CERT-FR decryptor could have been used during this major crisis. However, data restoration is only one aspect of remediation. “The cyberattack knocked us to the ground, we are slowly emerging from this situation,” declared the president of the community, Serge Letchimy, at the end of September, several months later.