Security news that informs and inspires

Buggy Ryuk Tool Corrupts Data Files After Ransomware Infection


Talk about a nightmare that doesn’t end: a bug in the Ryuk ransomware’s decryptor tool means some types of data cannot be recovered. The victim doesn’t get all the files back, even after paying the ransom demand.

The latest decryptor tool used provided by the Ryuk gang truncates one byte from the end of each file it decrypts, said antivirus company Emsisoft. In most cases, this isn’t a problem because the last byte is usually intended as padding and not used, but some file types use the last few bytes to store information about the file. In those situations, when the file is recovered with and the byte is missing, the data becomes corrupted. The file can no longer be opened.

"A lot of virtual disk type files like VHD/VHDX as well as a lot of database files like Oracle database files will store important information in that last byte and files damaged this way will fail to load properly after they are decrypted," Emsisoft said.

For IT departments at victim organizations, paying the ransom and discovering some files are still missing means they still have to go through the process of trying to recover from backups (if they exist) or reconstructing the files from scratch.

Ryuk is one of the most active ransomware strains targeting enterprise networks. It has been behind infections that hit the city of New Bedford, crippled the state of Louisiana, and affected the Georgia court system. Ryuk has also infected Dallas-based managed service provider T-Systems, which provides services for emergency care facilities and hospitals. The ransomware usually relies on another malware to enter the enterprise network—such as Emotet or TrickBot Trojan—and then locks up the files for ransom.

Ryuk has been evolving with new features and capabilities over the past few months, such as the fact that it can now partially encrypt files. For files larger than 54.4 MB in size, Ryuk encrypts certain parts to render the file inaccessible without having to spend the time and resources needed to encrypt the entire thing. Partially encrypting the file saves time and allows Ryuk to encrypt as many files as possible before being detected, Emsisoft said.

Ryuk stores a counter of how many blocks were encrypted along with other information in the file’s footer. While calculating the size of the footer, the decryptor is cutting off an extra byte from the file.

“In the best case scenario, the byte that was cut off by the buggy decryptor was unused and just some slack space at the end created by aligning the file towards certain file size boundaries,” Emsisoft said.

While Emsisoft can fix the decryptor tool the victims receive after paying the ransom so that it doesn’t truncate that last byte, victim organizations have to contact Emsisoft analysts before running the original decryptor tool. The Ryuk decryptor tool is designed to delete the encrypted versions of the files after it has processed and recovered them. If the organization paid the ransom and discovers that the files have been corrupted after running the decryptor tool, it is too late to then get the fixed version of the tool because there is no longer an encrypted file for the Emsisoft version to recover.

Fixing the decryptor tool is a paid service.

It is good practice to make a copy of the encrypted files before running the decryptor—this way, if the decryptor doesn’t successfully finish the recovery, the organization still has the copy to try something else.