Experts from Antivirus maker Emsisoft discovered a bug in the
The bug makes it impossible to completely recover some types of files, causing data loss to the victims that have paid the ransom to the operators.
“Essentially, whenever Ryuk encounters a file that is larger than 57,000,000 bytes (or 54.4 megabytes) it will only encrypt certain parts of it in order to save time and allow it to work its way through the data as quickly as possible before anyone notices.” reads the post published by Emsisoft.
“The code used by Ryuk to determine how much of a file to encrypt if the file exceeds a size limit of 57,000,000 bytes. Files that are only partially encrypted will show a slightly different-than-normal footer at the end of the file, where Hermes usually stores the RSA-encrypted AES key that was used to encrypt the file’s content.”
Experts pointed out that virtual disk type files like VHD/VHDX or database files like Oracle database files contains important data in that last byte.
The researchers explained that the Ryuk
For this reason, Emsisoft experts recommend victims to create a backup copy of their encrypted files.
“Please understand that this will only work if you still have copies or backups of your encrypted data, as the Ryuk
Emsisoft said victims can reach out via email@example.com to have its analysts fix the decrypter they received from the Ryuk gang. However, while Emsisoft is the company who released the most “free ransomware decrypters” in the past, this is a paid service, as it implies its analysts working to correct each decrypter in part, a very time-consuming task.
Ryuk is one of today’s most active ransomware strains. The ransomware is deployed by criminal gangs on enterprise networks using a previous malware infection as an entry point — usually via the Emotet or TrickBot trojans.
The Ryuk ransomware was involved in a long string of attacks targeting cities, hospitals, and organizations worldwide.
In September New Bedford city was infected with Ryuk ransomware, but did not pay $5.3M ransom. In April, systems at Stuart City were infected by the same Ryuk ransomware, in early March, Jackson County, Georgia, was hit by the same ransomware that paralyzed the government activity until officials decided to pay a $400,000 ransom to decrypt the files.
(SecurityAffairs – Ryuk ransomware, decryptor)