Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Wednesday December 11 2019, @03:04AM   Printer-friendly
from the program-is-borked dept.

Submitted via IRC for chromas

Ryuk Ransomware Decryptor Is Broken, Could Lead to Data Loss

Due to recent changes in the Ryuk Ransomware encryption process, a bug in the decryptor could lead to data loss in large files.

Ryuk is a ransomware infection known to target the enterprise or govt agencies by gaining access to their networks and then encrypting as many computers as possible. The attackers then demand large ransoms, sometimes in the millions, in order to receive a decryptor for their files.

According to antivirus and security firm Emsisoft, Ryuk was recently modified so that it does not encrypt the entire file if it is larger than than 57,000,000 bytes or 54.4 megabytes. This is done to prevent the encryption process from taking too long, which could allow victims to more readily detect that the ransomware was running.

Instead the decryptor will partially encrypt the file by encrypting a certain number of 1,000,000 byte blocks of data, up to a hard maximum of 2,000

For a large file, the ransomware will then store the number of blocks that were encrypted next the 'HERMES' file marker in the footer. For example, the encrypted file below had 112 1 million-byte blocks encrypted.

Smaller files that are entirely encrypted, though, will not contain a block count in the footer.

Emsisoft CTO Fabian Wosar told BleepingComputer that a bug in the Ryuk decryptor is causing the size of the footer in large files to not be properly calculated due to the variable nature of the block count.

This causes the decryptor to truncate certain files before the last byte.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 1, Insightful) by Anonymous Coward on Wednesday December 11 2019, @03:56AM (2 children)

    by Anonymous Coward on Wednesday December 11 2019, @03:56AM (#930947)

    Just how is a ransomware attack different than say, a fire taking out your server?

    These are known contingencies. Their existence must be considered when designing the system.

    I consider the PHB about as foolish as one who ventures on a road trip with no spare tire.

    Starting Score:    0  points
    Moderation   +1  
       Insightful=1, Total=1
    Extra 'Insightful' Modifier   0  

    Total Score:   1  
  • (Score: 5, Interesting) by canopic jug on Wednesday December 11 2019, @05:40AM

    by canopic jug (3949) Subscriber Badge on Wednesday December 11 2019, @05:40AM (#930971) Journal

    Yes, it is bad judgment, really bad judgement. Running M$ Windows in 2019 is no different than stocking your garage with large piles of oily and gasoline-soaked rags splashed with linseed oil next to the spare lumber and gas cans. You may like it, you may feel that it is convenient, at least in the short term. But in fact it is a hazard to you and everyone else. Ditch M$ Windows and the malware incidents basically drop to zero. Though I gather systemd is working on that too.

    --
    Money is not free speech. Elections should not be auctions.
  • (Score: 0) by Anonymous Coward on Wednesday December 11 2019, @03:42PM

    by Anonymous Coward on Wednesday December 11 2019, @03:42PM (#931075)

    You may be interested to know that instead of a spare tire, or even a donut, car makers just give you a can of fix a flat.