Malware

A bug in the Ryuk ransomware makes data recovery impossible even if the ransom is paid. Who will fix this flaw?

Hundreds of things could go wrong after a ransomware victim pays the money demanded by criminals. Digital forensics specialists from security firm Emsisoft reported the appearance of a bug in the Ryuk ransomware decryption tool (delivered by criminals to victims after they pay the ransom) that causes failures in the file recovery process.

According to the report, this bug causes
incomplete recovery of some file types, resulting in permanent loss of
encrypted data, even if the victim has paid the ransom to the hackers. 

This is apparently because the decryption tool
truncates one byte from the end of each file encrypted with Ryuk. In most cases,
this last byte is only filling space, as it has no practical use; however, in
some file extensions these bytes include vital information for the integrity of
the file. In the event that this byte is deleted or altered, the file will be
permanently damaged, which will prevent it from being recovered, digital
forensics specialists mention.

In its report, Emsisoft mentions that:
“Multiple virtual disk files, such as VHD/VHDX, in addition to database
files, such as those employed by Oracle,
store important information in the last byte, so if altered by Ryuk decryption
tool, their recovery will be incorrect and will not be accessible after
decryption”.

Emsisoft claims to have tracked this bug, so it
recommends that victims of the Ryuk ransomware that have received the
decryption tool consult their specialists in order to be able to fix the flaw
and prevent the last byte of their important files from corrupting.

Unfortunately, this is not the only
inconvenience faced by ransomware victims. Digital forensic experts mention
that, because cybercriminals delete the original version of the encrypted
files, the corrected version of this tool will not be useful for those who have
already tried to recover their files with the version of the decryptor
containing the bug. The only possible solution is for victims to create copies
of the encrypted information to use as backup in case their files are
destroyed. Using the backup of the encrypted files victims can use the
corrected decryption tool without any major mishaps.

International Institute of Cyber Security
(IICS) digital forensics specialists mention that Ruyk remains one of the most
commonly used ransomware variants by cybercriminals today. To infect a device,
threat actors typically resort to using other malware variants, such as
TrickBot or Emotet.

Since its emergence a couple of years ago,
hundreds, or even thousands of companies around the world have been victims of
this infection. Whether they are financial service providers, technology device
manufacturers or software vendors, Ryuk is just as effective in infecting their
systems as they resort to exploiting a company’s weakest points, which usually
are employees without great knowledge of cybersecurity.

To Top

Pin It on Pinterest

Share This