Flaw in Ryuk Ransomware May Make Data Recovery Impossible

By Richard Anderson

Disaster strikes. Your business has been attacked and ransomware has been deployed. You decide to pay the ransom to ensure a quick recovery, only to discover that the decryption keys supplied by the attackers do not work. This is one of the reasons why the FBI’s advice is never to pay the ransom.

It is not in the best interests of cybercriminals to permanently encrypt data. After all, once word spreads that paying a ransom will not result in file recovery, no one will pay up. However, in some cases, flaws in the encryption or decryption processes can see files corrupted. One such flaw has recently been identified in Ryuk ransomware by the New Zealand cybersecurity firm Emsisoft. The bug means that some victims will not be able to recover all of their data, even if the ransom is paid.

The flaw is present in the decryptor app used by the attackers to allow files to be recovered, not in the encryption process itself. The bug sees the decryptor truncate one byte from the end of each encrypted file when recovery is attempted. In most cases, that does not mean the file cannot be recovered as the last byte of a file is often not used. Crucially, it is for certain files including VHD, VHDX, and many database files. The loss of that single byte means the file will be corrupted as that byte contains data essential to file recovery.

Emsisoft believes that it has located the bug and that it can fix the decryptor app to allow full file recovery, but there is one caveat. The bug must be fixed before recovery is attempted, as the original encrypted file is deleted during the recovery process. That means that it will not be possible to try to recover the file a second time using a corrected decryptor. The file will be permanently corrupted.

That means that prior to attempting recovery it is essential for a copy of the encrypted files to be made. That way, if the decryption process fails, the victim will be able to try again with a fixed decryptor. Emsisoft has said in a recent announcement that the company will help companies recover all of their data by fixing the Ryuk ransomware decryptor app, although victims will be required to pay for that service due to the amount of work that their engineers have to do.

Twitter Facebook LinkedIn Reddit Link copied to clipboard

Posted by

Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news