Antivirus maker Emsisoft said it found a bug in the decrypter app of the Ryuk ransomware. This is the app the Ryuk gang provides to victims to recover their files, after victims paid the ransom.
The bug, according to Emsisoft, causes an incomplete recovery of some types of files, leading to data loss, even if the victim paid the ransom demand.
The issue, as explained by Emsisoft in a blog post today, is that the decrypter truncates one byte from the end of each file it decrypts.
While the last byte in most files is there for padding and is usually unused, for some file extensions those bytes contain crucial information that when removed will permanently corrupt the data, preventing the file from being opened.
“A lot of virtual disk type files like VHD/VHDX as well as a lot of database files like Oracle database files will store important information in that last byte and files damaged this way will fail to load properly after they are decrypted,” Emsisoft says.
The antivirus maker said today it was able to track down and bug and should be able to “fix” Ryuk decrypters to decrypt files without truncating the last byte — and corrupting files.
But things aren’t that simple, as there’s another problem.
The second issue is that the Ryuk gang’s decryptor also deletes the original encrypted files, meaning victims can’t re-run the decryption operation again with a “fixed” decryptor.
Because of this, the Emsisoft team has put out today an urgent PSA (Public Service Announcement), recommending that victims create a copy of the encrypted files — to have as a backup — in case the Ryuk gang’s decryptor fails and trashes files.
“We’re hoping to get the word out about this as quickly and widely as possible so that affected organizations can avoid data loss,” Emsisoft spokesperson Brett Callow told ZDNet today.
Emsisoft said victims can reach out via firstname.lastname@example.org to have its analysts fix the decrypter they received from the Ryuk gang. However, while Emsisoft is the company who released the most “free ransomware decrypters” in the past, this is a paid service, as it implies its analysts working to correct each decrypter in part, a very time-consuming task.
Ryuk is one of today’s most active ransomware strains. The ransomware is deployed by criminal gangs on enterprise networks using a previous malware infection as an entry point — usually via the Emotet or TrickBot trojans.
Infections attributed to Ryuk include manage service provider T-Systems, financial service provider ASD Audit, insulating technology manufacturer TECNOL, automation tool manufacturer Pliz, city of New Bedford (US), Tribune Publishing, managed service provider PerCSoft, healthcare provider CorVel, IT service provider CloudJumper, the city of Lake City (US), and many other more.