Submitted via IRC for chromas
Ryuk Ransomware Decryptor Is Broken, Could Lead to Data Loss
Due to recent changes in the Ryuk Ransomware encryption process, a bug in the decryptor could lead to data loss in large files.
Ryuk is a ransomware infection known to target the enterprise or govt agencies by gaining access to their networks and then encrypting as many computers as possible. The attackers then demand large ransoms, sometimes in the millions, in order to receive a decryptor for their files.
According to antivirus and security firm Emsisoft, Ryuk was recently modified so that it does not encrypt the entire file if it is larger than than 57,000,000 bytes or 54.4 megabytes. This is done to prevent the encryption process from taking too long, which could allow victims to more readily detect that the ransomware was running.
Instead the decryptor will partially encrypt the file by encrypting a certain number of 1,000,000 byte blocks of data, up to a hard maximum of 2,000
For a large file, the ransomware will then store the number of blocks that were encrypted next the 'HERMES' file marker in the footer. For example, the encrypted file below had 112 1 million-byte blocks encrypted.
Smaller files that are entirely encrypted, though, will not contain a block count in the footer.
Emsisoft CTO Fabian Wosar told BleepingComputer that a bug in the Ryuk decryptor is causing the size of the footer in large files to not be properly calculated due to the variable nature of the block count.
This causes the decryptor to truncate certain files before the last byte.
Related Stories
Pensacola, Florida Hit by Cyber Attack, City Services Impacted
The city of Pensacola is struggling to recover from a cyber attack that hit its computer network over the weekend. Some services are still affected but no critical ones. Few details are available but the attack prompted the city to disconnect much of its network until a solution for the problem was found.
The incident became known around 1:30 a.m. on Saturday and city employees in the IT department have been working to restore the network.
It is unclear what type of cyber incident is causing the issues or how many computers it affected but the online payment systems at Pensacola Energy and for city sanitation are among them.
Due to the nature of the information available on these systems, investigators are now trying to determine if data was exposed.
Computer-based communication, including email, is also down but 911 and other emergency services (police and fire departments) remained unaffected and online permitting is available. Some phones have been impacted; the 311 customer service is able to receive calls but responding to requests may not be immediately possible, reads a statement from the City of Pensacola.
"We severed things immediately as soon as we found out we were having this problem," said Pensacola Mayor Grover Robinson in a press conference today, reports the Pensacola News Journal.
Most of the systems currently offline are so because the IT department took the decision as a preventive measure, said Pensacola spokeswoman Kaycee Lagarde.
Also at Ars Technica.
Related: Ryuk Ransomware Decryptor Is Broken, Could Lead to Data Loss
(Score: 2) by black6host on Wednesday December 11 2019, @03:38AM (1 child)
This totally borks their business model. Who's going to pay if there's no guarantee of full recovery. My guess is heads are going to roll.
Now, that all being said, let me point out that this venture is no different than any other commercial venture. The only side is that if they screw up, and are caught, they're likely to go to jail. That's the only difference between this venture and say... Dow Chemical and Bhopal? (Yeah, I know, Union Carbide and all that...)
(Score: 2) by black6host on Wednesday December 11 2019, @03:44AM
Sorry, what I meant by that is that Dow picked up the good stuff and left the bad behind. They skated. I know there were some sacrificial execs from Union Carbide.
(Score: 1, Insightful) by Anonymous Coward on Wednesday December 11 2019, @03:56AM (2 children)
Just how is a ransomware attack different than say, a fire taking out your server?
These are known contingencies. Their existence must be considered when designing the system.
I consider the PHB about as foolish as one who ventures on a road trip with no spare tire.
(Score: 5, Interesting) by canopic jug on Wednesday December 11 2019, @05:40AM
Yes, it is bad judgment, really bad judgement. Running M$ Windows in 2019 is no different than stocking your garage with large piles of oily and gasoline-soaked rags splashed with linseed oil next to the spare lumber and gas cans. You may like it, you may feel that it is convenient, at least in the short term. But in fact it is a hazard to you and everyone else. Ditch M$ Windows and the malware incidents basically drop to zero. Though I gather systemd is working on that too.
Money is not free speech. Elections should not be auctions.
(Score: 0) by Anonymous Coward on Wednesday December 11 2019, @03:42PM
You may be interested to know that instead of a spare tire, or even a donut, car makers just give you a can of fix a flat.
(Score: 4, Insightful) by isostatic on Wednesday December 11 2019, @09:21AM
Just restore from backup?