SoylentNews

upstart [soylentnews.org] writes:

████ # This file was generated by upstart! Edit at your own risk. ████

Submitted via IRC for chromas

Ryuk Ransomware Decryptor Is Broken, Could Lead to Data Loss [bleepingcomputer.com]

Due to recent changes in the Ryuk Ransomware encryption process, a bug in the decryptor could lead to data loss in large files.

Ryuk is a ransomware infection known to target the enterprise [bleepingcomputer.com] or govt agencies by gaining access to their networks and then encrypting as many computers as possible. The attackers then demand large ransoms, sometimes in the millions, in order to receive a decryptor for their files.

According to antivirus and security firm Emsisoft [emsisoft.com], Ryuk was recently modified so that it does not encrypt the entire file if it is larger than than 57,000,000 bytes or 54.4 megabytes. This is done to prevent the encryption process from taking too long, which could allow victims to more readily detect that the ransomware was running.

Instead the decryptor will partially encrypt the file by encrypting a certain number of 1,000,000 byte blocks of data, up to a hard maximum of 2,000.  You can see the formula Ryuk uses to compute the amount of blocks it will encrypt below.

Ryuk formula for encrypting large files

For a large file, the ransomware will then store the number of blocks that were encrypted next the 'HERMES' file marker in the footer. For example, the encrypted file below had 112 1 million-byte blocks encrypted.

Ryuk Encrypted File

Smaller files that are entirely encrypted, though, will not contain a block count in the footer.

Emsisoft CTO Fabian Wosar told BleepingComputer that a bug in the Ryuk decryptor is causing the size of the footer in large files to not be properly calculated due to the variable nature of the block count.

This causes the decryptor to truncate certain files before the last byte.

Why this is bad

While many files do not contain data in the last byte of a file and it's mostly used as padding, some data files such as databases and virtual disk images do utilize the last byte.  These types of files will therefore not load properly after being decrypted.

"However, a lot of virtual disk type files like VHD/VHDX as well as a lot of database files like Oracle database files will store important information in that last byte and files damaged this way will fail to load properly after they are decrypted."

To make matters worse, when the Ryuk decryptor thinks it correctly decrypted a file, it will delete the encrypted version. 

Since the decryptor thinks it is decrypting these large files correctly, even when it isn't, it will also decrypt the encrypted version. This make it harder to recover these files after running the decryptor. 

For those who are having issues with large files, Emsisoft offers a paid service where they will create a custom decryptor that does not contain this bug. Victims who need this assistance can request at ryukhelp@emsisoft.com.

Furthermore, all Ryuk victims should be sure to backup all of their encrypted data before performing any decryption, regardless of where you received the decryptor.

This will protect your data in the event that a decryptor corrupts it.

Original Submission