Pierluigi Paganini December 09, 2019

Emsisoft warns that a bug in the decrypter app of the Ryuk ransomware could damage large files making it impossible to decrypt them.

Experts from Antivirus maker Emsisoft discovered a bug in the decrypter app of the infamous Ryuk ransomware. The app is provided by Ryuk operators to victims to recover their files once they have paid the ransom.

The bug makes it impossible to completely recover some types of files, causing data loss to the victims that have paid the ransom to the operators.

The decrypter truncates one byte from the end of each file it decrypts, that for some file types contain information that if it is removed will cause the file will be permanently corrupted.

“Essentially, whenever Ryuk encounters a file that is larger than 57,000,000 bytes (or 54.4 megabytes) it will only encrypt certain parts of it in order to save time and allow it to work its way through the data as quickly as possible before anyone notices.” reads the post published by Emsisoft.

“The code used by Ryuk to determine how much of a file to encrypt if the file exceeds a size limit of 57,000,000 bytes. Files that are only partially encrypted will show a slightly different-than-normal footer at the end of the file, where Hermes usually stores the RSA-encrypted AES key that was used to encrypt the file’s content.”

Experts pointed out that virtual disk type files like VHD/VHDX or database files like Oracle database files contains important data in that last byte.

Emsisoft experts announced that they are able to fix the bug in the Ryuk decrypter.

The researchers explained that the Ryuk decryptor also deletes the original encrypted files, this means that if victims have executed the flawed version cannot run the fixed one again to decrypt the files.

For this reason, Emsisoft experts recommend victims to create a backup copy of their encrypted files.

“Please understand that this will only work if you still have copies or backups of your encrypted data, as the Ryuk decryptor will usually delete files it thinks were decrypted properly. Similarly, if you’ve paid for a decryptor but have yet to use it, don’t.” continues the post. “Please get in touch with us instead. Our tool will enable you to safely recover your data whereas the tool supplied by the bad actors will not.”

Emsisoft said victims can reach out via [email protected] to have its analysts fix the decrypter they received from the Ryuk gang. However, while Emsisoft is the company who released the most “free ransomware decrypters” in the past, this is a paid service, as it implies its analysts working to correct each decrypter in part, a very time-consuming task.

Ryuk is one of today’s most active ransomware strains. The ransomware is deployed by criminal gangs on enterprise networks using a previous malware infection as an entry point — usually via the Emotet or TrickBot trojans.

The Ryuk ransomware was involved in a long string of attacks targeting cities, hospitals, and organizations worldwide.

In September New Bedford city was infected with Ryuk ransomware, but did not pay $5.3M ransom. In April, systems at Stuart City were infected by the same Ryuk ransomware, in early March, Jackson County, Georgia, was hit by the same ransomware that paralyzed the government activity until officials decided to pay a $400,000 ransom to decrypt the files.

Pierluigi Paganini

(SecurityAffairs – Ryuk ransomware, decryptor)

[adrotate banner=”5″]

[adrotate banner=”13″]