An alert issued by cybersecurity company Emsisoft mentioned the use of a decryptor bug by Ryuk ransomware victims to recover their records. Using this bug in the decryptor application could result in file corruption and irreversible data loss.
Ryuk ransomware is one very active type of ransomware. Lots of attackers use it for campaigns against U.S. healthcare companies, such as DCH Health System Alabama and the IT solution company called Virtual Care Provider.
The following are some ways of deploying the Ryuk ransomware:
- doing scans to identify available Remote Desktop Protocol ports
- doing brute force attacks on RDP
- installing ransomware via unpatched vulnerabilities
- setting up the Ryuk ransomware being a secondary payload by Trojans for instance TrickBot
There is no free Ryuk ransomware decryptor, consequently, data recovery depends on the viable backups of the company, if any. Otherwise, victims need to pay the ransom in exchange for the decryptor keys.
After giving the ransom payment, victims get hold of a decryptor app which includes the file decryption keys. However, there’s no guarantee that all files will be recovered by using the decryptor application. Big files could be damaged during decryption because of the recent changes in the encryption process. Ryuk ransomware doesn’t encrypt all the file if the file is more than 54.4 megabytes so as to speed up the encryption process making the attack unnoticeable until the encryption is completed.
The bug caused a miscalculation in the footer of big files triggering the decryptor to truncate large files and losing the last byte. This is not a problem for plenty of file types that have padding in the final byte and no information. However, a couple of file types make use of the last byte, such as virtual disk files (VHD/VHDX) and Oracle database files. Without the last byte, the files become corrupted and impossible to recover.
Besides, the initial encrypted file is deleted if the decryptor determines the file as properly decrypted when in reality the decryption corrupted the file. Therefore, if the decryptor is functioning, corrupted files are not recoverable.
Prior to decryption, it is really crucial to make copies of all encrypted files. In some cases, decryptors fail to work as wanted resulting in some lost files. In case there are duplicates of the encrypted files, even if the decryption process fails, another file can be used to try again. Emsisoft helps victims to get back their encrypted files by developing a Ryuk ransomware decryptor with no bug. Because engineers had to work on this decryptor, it isn’t available for free those who need this bug-free decryptor must pay for it.