Vulnerability identified in Rhysida ransomware

In mid-February 2024, it was revealed that CERT-FR, Avast and Emsisoft exploited a vulnerability in the Rhysida ransomware to develop a decryption tool. The announcement came following an article published by five South Korean researchers at Cornell University outlining the flaw, on February 9, 2024. The researchers explained how the vulnerability made it possible to decrypt data hit by the ransomware.

The cyber community was rather critical of the article. Indeed, its publication probably alerted the cybercriminals spreading Rhysida, and could have spurred them to use other malware. Cybersecurity good practice generally entails waiting until a cybercriminal group has corrected a vulnerability before making it public.

In Rhysida’s case, the reveal prompted Fabian Wosar, head of ransomware research at Emsisoft, to post a long thread on X, on February 12, 2024, in which he mentions identifying the vulnerability in May 2023, shortly after the ransomware gang appeared. He adds that, as early as June 2023, the CERT-FR published a private report on the flaw, emulated by Avast in October 2023.

On February 13, 2024, Avast further confirmed the timeline of events. The cybersecurity firm thus mentions it discovered the encryption vulnerability in August 2023, before releasing a private technical assessment of the ransomware in October 2023.

The initiatives made it possible to come up with effective decryption tools, the use of which had remained secret until now. “I am not familiar with Avast and CERT-FR data, but we have since decrypted hundreds of systems,” thus claims Fabian Wosar.