- The Ryuk ransomware decryptor fails to decrypt certain large files due to a special condition set in a new variant of the ransomware.
- The ransomware does not encrypt large files to prevent the attack from being detected as otherwise, the encryption process will take too long.
Ryuk ransomware, which is notorious for targeting enterprises and government agencies was found containing a special condition that hinders full recovery of encrypted data for data larger than 54.4 megabytes.
What is the fuss about?
Antivirus and security firm Emsisoft revealed that the recent modification in Ryuk would not encrypt the entire file if it is larger than 57,000,000 bytes or 54.4 megabytes.
- Due to recent changes in the Ryuk Ransomware encryption process, a bug in the decryptor could lead to data loss in large files.
- As per reports, it was done to prevent the attack from being detected because, otherwise, the encryption process will be too long.
- So, the decryptor was partially encrypting (the file) a certain number of 1,000,000 byte blocks of data, up to a hard maximum of 2,000.
What is the bug?
For larger files, the ransomware will then store the number of blocks that were encrypted next the 'HERMES' file marker in the footer. According to Emsisoft CTO Fabian Wosar, the bug in the Ryuk decryptor miscalculates the size of the footer in large files due to the variable nature of the block count. This causes the decryptor to chop certain files before the last byte. For entirely encrypted smaller files, there would not be any block count in the footer.
Though not many files contain data in the last byte of a file and mostly used as padding, some data files such as databases and virtual disk images do get extended till the last byte. These types of files will, therefore, fail to load properly after being decrypted.
Nonetheless, what makes the matters worse is that when the Ryuk decryptor thinks it correctly decrypted a file, it deletes the encrypted version.
If, unfortunately, Ryuk strikes your network, make sure to back up all of the encrypted data before performing any decryption, regardless of from where you received the decryptor. It will ensure data safety if a decryptor somehow corrupts it.