Avast Decryption Tool for Rhysida 1.0.0.725

Published by

Avast Decryption Tool for Rhysida assists in recovering files and documents locked by Rhysida ransomware. All the Avast Decryption Tools are available in one zip here.

Avast Decryption Tool for Rhysida 1.0.0.725

Avast Decryption Tool for Rhysida assists in recovering files and documents locked by Rhysida ransomware. All the Avast Decryption Tools are available in one zip here.

Rhysida ransomware has been causing security concerns since its emergence in May 2023. As of February 2024, its TOR site reports that 78 companies have been targeted. These companies belong to various sectors, such as Information Technology (IT), healthcare, universities, and government organizations.

Rhysida employs the LibTomCrypt library, specifically version 1.18.1, to carry out various cryptographic operations. For multi-threaded and synchronization operations, Rhysida specifically uses the winpthreads library. Rhysida uses the Chacha20 pseudo-random number generator to generate random numbers, mainly used for creating AES encryption keys, AES initialization vectors, and random padding for RSA-OAEP encryption. It's important to note that the public RSA key is hard-coded into the binary in ASN1 format and then loaded using the rsa_import function. It's worth mentioning that each sample has a different embedded RSA key, ensuring security and uniqueness.

As with all Avast Ransomware Decryptors, the decryption process is completed via an easy-to-follow wizard that prompts for the relevant data.

The encryptor executable supports the following command line arguments:

-d Specifies a directory name to encrypt. If omitted, all drives (identified by letters) are encrypted
-sr Enables self-remove after file encryption
-nobg Disables setting the desktop background
-S When present, Rhysida will create a scheduled task, executing at OS startup under the System account
-md5 When present, Rhysida will calculate the MD5 hash of each file before it is encrypted. However, this feature is not fully implemented yet – the MD5 is calculated, but it’s not used elsewhere later.

If configured to do so, Rhysida ransomware generates a JPEG picture, saves it in C:/Users/Public/bg.jpg, and drops the ransom note (example ransom note is viewable in screenshot # 1). It's worth noting that an earlier version of the ransomware created the image with unwanted artifacts, but this issue was addressed in later builds of Rhysida.

64-bit samples of the Rhysida encryptors are much more common. Therefore, the default configuration of the decryptor assumes a 64-bit encryptor. If you know that it is a 32-bit version (for example, if you have a 32-bit operating system), you can switch the decryptor to 32-bit mode via this command line parameter:

avast_decryptor_rhysida.exe /ptr:32

If you want to verify if the decryption process will work without altering the files, you can utilize the testing mode provided within. You can activate this via the command line parameter below:

avast_decryptor_rhysida.exe /nodecrypt

Similar:
Which Anti-Malware App Is Best and Can It Run Alongside My Antivirus
What's the Be What'sivirus and Is Windows Defender Good Enough?
How to Manage Windows Defender Antivirus Found Threats
What to Do When Your Norton or McAfee Antivirus Expire

Avast Decryption Tool for Rhysida 1.0.0.725