Share this article on:
Cybersecurity firm Emsisoft has issued a warning about a recently discovered bug in the decryptor used by Ryuk ransomware victims to recover their data. A bug in the decryptor app can cause certain files to be corrupted, resulting in permanent data loss.
Ryuk ransomware is one of the most active ransomware variants. It has been used in many attacks on healthcare organizations in the United States, including DCH Health System in Alabama and the recent attack on the IT service provider Virtual Care Provider.
Ryuk ransomware is distributed in several ways. Scans are conducted to identify open Remote Desktop Protocol ports, brute force attacks on RDP are also conducted, and the ransomware is downloaded by exploiting unpatched vulnerabilities. Ryuk ransomware is also installed as a secondary payload by Trojans such as TrickBot.
There is no free decryptor for Ryuk ransomware, so recovery depends of whether viable backups have been made, otherwise victims must pay a sizeable ransom for the keys to decrypt their files.
When Ryuk ransomware victims pay the ransom, they are provided with a decryptor app and the keys to decrypt their files. However, the decryptor app will not allow all files to be recovered. Large files can be corrupted during the decryption process.
This is due to a recent change in the encryption process. Ryuk ransomware no longer encrypts the entire file if the file is larger than 54.4 megabytes. The change was made to speed up the encryption process to make it less likely that the attack will be detected before file encryption has been completed.
Due to the bug, the footer in large files is not correctly calculated. This can cause the decryptor to truncate large files and lose the last byte. This is not a problem for many file types as the last byte often just contains padding and no data. However, some file types, including Oracle database files and virtual disk files (VHD/VHDX), use the last byte. Without that last byte the file will be corrupted and recovery will be rendered impossible.
Further, the original encrypted file is deleted if the decryptor determines that the file has been successfully decrypted, even if decryption has resulted in file corruption. That means that once the decryptor has run, it will not be possible to recover corrupted files.
Prior to decryption, it is important to make a copy of all encrypted files. Decryptors do not always work as expected and some file loss may occur. If copies of the encrypted files are made, if the decryption process doesn’t work as expected it will be possible to try again. Emsisoft can assist with file recovery and will develop a decryptor for Ryuk ransomware that does not have the bug. Due to the amount of work required by its engineers, the bug-free decryptor is not provided free of charge.