Bug in Ryuk Ransomware’s Decryptor Can Lead to Loss of Data in Certain Files

Ryuk’s decryptor tool — provided by the threat actors behind the ransomware to victims who have paid ransom demands — could actually cause data loss instead of reinstating file access to users. According to a blog post from Emsisoft, a bug with how the tool decrypts files could lead to incomplete recoveries, contrary to what the decryptor is actually meant to achieve.

While Ryuk has gained most of its notoriety due to who it targets and how much it tries to extort, the ransomware variant has actually seen a number of evolutions to its capabilities, which includes a revised encryption process. To make encryption faster and more efficient, Ryuk will only partially encrypt files that are larger than 57,000,000 bytes (approximately 54.4 megabytes) in 1,000,000 byte blocks — using a formula to compute how many of these blocks it will encrypt.

Traditionally, a file infected by Ryuk will contain a marker that shows whether it has already been previously encrypted with the Hermes ransomware, an earlier malware variant on which Ryuk was based. However, in addition to the Hermes marker, these partially encrypted files will also show a number beside the marker indicating how many of the 1,000,000 byte blocks were encrypted.

Due to a bug in how this number is calculated, the latest versions of Ryuk might accidentally truncate some files, removing a single byte of data from the file it was supposed to restore.

While a single byte might seem like a miniscule amount to get worried about (in most cases, the last byte is actually unused) — some types of files, such as those used in Oracle databases, store information in the last byte. This means that the removal of this single byte can actually result in an incomplete recovery, depending on the file type that was encrypted.

Defending against Ryuk and other ransomware families

According to Trend Micro’s 2019 midyear security roundup, ransomware detections in the first half of the year increased by 77% compared to the second half of operations as threat actors seek to evolve their tools and methods. Ryuk is perhaps the most prevalent of the current ransomware families: It has earned the threat actors behind it millions of dollars from victims — typically, major organizations in both public and private sectors.

Given how widespread ransomware still is, it will benefit both organizations and individual users to regularly practice these recommendations to minimize the chances of a successful ransomware attack:

  • The simplest and perhaps most effective method to keep important files and data safe is to maintain regular backups  preferably using the 3-2-1 method of keeping three backup copies in at least two separate formats, with one copy offsite.
  • IT administrators should ensure that systems, networks, servers, and applications are consistently updated and patched to prevent threat actors from taking advantage of vulnerable software and systems to deliver ransomware.
  • Organizations should cover all possible attack surfaces by implementing the principle of least privilege, where employees can only access parts of the system they need.
  • Ransomware victims should also refrain from paying ransomware demands, as this encourages threat actors to continue with their campaigns. Furthermore, paying the ransom doesn’t even guarantee that the encrypted data will be restored, as seen in this scenario.

[Best Practices: More recommendations to defend against ransomware]

Organizations without dedicated security teams that want to bolster their security strategy can also look into taking advantage of services such as Trend Micro™ Managed XDR, which offers a wide scope of visibility and expert security analytics by integrating detection and response functions across networks, endpoints, emails, servers, and cloud workloads. The Managed XDR team is no stranger to Ryuk, and has extensive real-world experience investigating and analyzing the ransomware variantas well as offering remediation advice — to customers.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.