HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Ryuk Ransomware Decryptor Bug May Result in Permanent Data Loss

Cybersecurity firm Emsisoft has issued a warning about a recently discovered bug in the decryptor used by Ryuk ransomware victims to recover their data. A bug in the decryptor app can cause certain files to be corrupted, resulting in permanent data loss.

Ryuk ransomware is one of the most active ransomware variants. It has been used in many attacks on healthcare organizations in the United States, including DCH Health System in Alabama and the recent attack on the IT service provider Virtual Care Provider.

Ryuk ransomware is distributed in several ways. Scans are conducted to identify open Remote Desktop Protocol ports, brute force attacks on RDP are also conducted, and the ransomware is downloaded by exploiting unpatched vulnerabilities. Ryuk ransomware is also installed as a secondary payload by Trojans such as TrickBot.

There is no free decryptor for Ryuk ransomware, so recovery depends of whether viable backups have been made, otherwise victims must pay a sizeable ransom for the keys to decrypt their files.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

When Ryuk ransomware victims pay the ransom, they are provided with a decryptor app and the keys to decrypt their files. However, the decryptor app will not allow all files to be recovered. Large files can be corrupted during the decryption process.

This is due to a recent change in the encryption process. Ryuk ransomware no longer encrypts the entire file if the file is larger than 54.4 megabytes. The change was made to speed up the encryption process to make it less likely that the attack will be detected before file encryption has been completed.

Due to the bug, the footer in large files is not correctly calculated. This can cause the decryptor to truncate large files and lose the last byte. This is not a problem for many file types as the last byte often just contains padding and no data. However, some file types, including Oracle database files and virtual disk files (VHD/VHDX), use the last byte. Without that last byte the file will be corrupted and recovery will be rendered impossible.

Further, the original encrypted file is deleted if the decryptor determines that the file has been successfully decrypted, even if decryption has resulted in file corruption. That means that once the decryptor has run, it will not be possible to recover corrupted files.

Prior to decryption, it is important to make a copy of all encrypted files. Decryptors do not always work as expected and some file loss may occur. If copies of the encrypted files are made, if the decryption process doesn’t work as expected it will be possible to try again. Emsisoft can assist with file recovery and will develop a decryptor for Ryuk ransomware that does not have the bug. Due to the amount of work required by its engineers, the bug-free decryptor is not provided free of charge.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.