Bug in Ryuk Ransomware Decryptor Could Cause Permanent Loss of Data

Cybersecurity company Emsisoft issued an alert regarding a recently identified decryptor bug utilized by victims of the Ryuk ransomware to retrieve their data. A bug in the decryptor app could result in the corruption of a number of files and permanent loss of data.

Ryuk ransomware is a very active variant of ransomware. Many use it in attacking healthcare companies in the U.S.A, which include Alabama-based DCH Health System and the IT service provider known as Virtual Care Provider.

Ryuk ransomware is deployed in the following different ways:

  • conducting scans to determine open Remote Desktop Protocol ports
  • conducting brute force attacks on RDP
  • downloading ransomware through unpatched vulnerabilities
  • installing the Ryuk ransomware as a secondary payload by Trojans like TrickBot

Decryptor for the Ryuk ransomware is not free, hence, recovery will depend on whether the company has viable backups, if not victims have no choice but to pay a big ransom to get the decryptor keys.

After paying the ransom, Ryuk ransomware victims get a decryptor app including the keys for file decryption. Nonetheless, all files will not be recovered using the decryptor app. Big files may be corrupted in the course of the decryption process.

This is because the encryption process changed recently. Ryuk ransomware does not encrypt the whole file when the file is over 54.4 megabytes. This change was meant to accelerate the encryption process so that the attack won’t be noticed prior to the completion of file encryption.

Because of the bug, there is a miscalculation of the footer in large files. The decryptor would truncate big files and the last byte will be lost. This isn’t an issue for a lot of file types that only have padding in the last byte and no data. But a few file types use the last type, for instance, Oracle database files and virtual disk files (VHD/VHDX). Losing that last byte in these file types results in corrupted files that cannot be recovered.

In addition, the original encrypted file is erased when the decryptor identifies the file as successfully decrypted, when in fact the decryption has caused file corruption. This means that when the decryptor is in operation, corrupted files cannot be recovered.

Before decryption, it is very important to duplicate all encrypted files. Sometimes, decryptors do not work as desired leading to loss of some files. If there are copies of the encrypted files, when the decryption process fails, one can try again. Emsisoft could help victims retrieve their encrypted files by creating a decryptor for the Ryuk ransomware without the bug. Because of the work input by its engineers, those who need this bug-free decryptor must pay for it.