{
	"id": "2a13ab28-7a82-449d-a5e9-f591ee131224",
	"created_at": "2026-04-06T00:10:38.117023Z",
	"updated_at": "2026-04-10T03:34:18.782513Z",
	"deleted_at": null,
	"sha1_hash": "b42dbd8adba2fad044894bee48e3eed98019f031",
	"title": "Decryptor for Rhysida ransomware is available! - Help Net Security",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 144210,
	"plain_text": "Decryptor for Rhysida ransomware is available! - Help Net\r\nSecurity\r\nBy Zeljka Zorz\r\nPublished: 2024-02-12 · Archived: 2026-04-05 22:48:25 UTC\r\nFiles encrypted by Rhysida ransomware can be successfully decrypted, due to a implementation vulnerability\r\ndiscovered by Korean researchers and leveraged to create a decryptor.\r\nRhysida and its ransomware\r\nRhysida is a relatively new ransomware-as-a-service gang that engages in double extortion.\r\nFirst observed in May 2023, it made its name by attacking the British Library, the Chilean Army, healthcare\r\ndelivery organizations, and Holding Slovenske Elektrarne (HSE).\r\nAccording to Check Point Research, the Rhysida ransomware group may simply be the Vice Society hacking\r\ngroup armed with new ransomware.\r\n“The [Rhysida] ransomware encrypts data using a 4096-bit RSA encryption key with a ChaCha20 algorithm. The\r\nalgorithm features a 256-bit key, a 32-bit counter, and a 96-bit nonce along with a four-by-four matrix of 32-bit\r\nwords in plain text,” the Cybersecurity and Infrastructure Security Agency noted in a cybersecurity advisory\r\npublished in November 2023.\r\nMaking the Rhysida ransomware decryptor\r\nhttps://www.helpnetsecurity.com/2024/02/12/rhysida-ransomware-decryptor/\r\nPage 1 of 2\n\n“Decrypting data encrypted using a symmetric-key cryptographic algorithm requires the encryption key used in\r\nthe process. Since encryption keys can be generated in various methods, it is important to identify the factors used\r\nby ransomware in the key generation process during data encryption,” researchers Giyoon Kim, Soojin Kang,\r\nSeungjun Baek and Jongsung Kim from Kookmin University in Seul and Kimoon Kim from the Korea Internet \u0026\r\nSecurity Agency (KISA) explained.\r\nAs other researchers before them, they established that Rhysida ransomware uses the open-source cryptographic\r\nlibrary LibTomCrypt for its encryption routine, and its pseudorandom number generator (PRNG) functionalities\r\nfor both key and initialisation vector (IV) generation.\r\nAfter a thorough analysis of the ransomware, they found that:\r\nThe random number generated by the PRNG is based on the execution time of the Rhysida ransomware\r\nThey could determine the (randomized) order of files for encryption\r\nRhysida’s encryption thread generates 80 bytes of random numbers when encrypting a single file, the first\r\n48 bytes of which are used as the encryption key and the IV\r\nWith that information in hand, they were able to create a recovery tool.\r\n“To the best of our knowledge, this is the first successful decryption of Rhysida ransomware. We aspire for our\r\nwork to contribute to mitigating the damage inflicted by the Rhysida ransomware,” the researchers noted.\r\nSource: https://www.helpnetsecurity.com/2024/02/12/rhysida-ransomware-decryptor/\r\nhttps://www.helpnetsecurity.com/2024/02/12/rhysida-ransomware-decryptor/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.helpnetsecurity.com/2024/02/12/rhysida-ransomware-decryptor/"
	],
	"report_names": [
		"rhysida-ransomware-decryptor"
	],
	"threat_actors": [
		{
			"id": "a6814184-2133-4520-b7b3-63e6b7be2f64",
			"created_at": "2025-08-07T02:03:25.019385Z",
			"updated_at": "2026-04-10T02:00:03.859468Z",
			"deleted_at": null,
			"main_name": "GOLD VICTOR",
			"aliases": [
				"DEV-0832 ",
				"STAC5279 ",
				"Vanilla Tempest ",
				"Vice Society",
				"Vice Spider "
			],
			"source_name": "Secureworks:GOLD VICTOR",
			"tools": [
				"Advanced IP Scanner",
				"Advanced Port Scanner",
				"HelloKitty ransomware",
				"INC ransomware",
				"MEGAsync",
				"Neshta",
				"PAExec",
				"PolyVice ransomware",
				"PortStarter",
				"PsExec",
				"QuantumLocker ransomware",
				"Rhysida ransomware",
				"Supper",
				"SystemBC",
				"Zeppelin ransomware"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "84aa9dbe-e992-4dce-9d80-af3b2de058c0",
			"created_at": "2024-02-02T02:00:04.041676Z",
			"updated_at": "2026-04-10T02:00:03.537352Z",
			"deleted_at": null,
			"main_name": "Vanilla Tempest",
			"aliases": [
				"DEV-0832",
				"Vice Society"
			],
			"source_name": "MISPGALAXY:Vanilla Tempest",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434238,
	"ts_updated_at": 1775792058,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b42dbd8adba2fad044894bee48e3eed98019f031.pdf",
		"text": "https://archive.orkl.eu/b42dbd8adba2fad044894bee48e3eed98019f031.txt",
		"img": "https://archive.orkl.eu/b42dbd8adba2fad044894bee48e3eed98019f031.jpg"
	}
}