Ryuk ransomware, which is notorious for targeting enterprises and government agencies was found containing a special condition that hinders full recovery of encrypted data for data larger than 54.4 megabytes.
What is the fuss about?
Antivirus and security firm Emsisoft revealed that the recent modification in Ryuk would not encrypt the entire file if it is larger than 57,000,000 bytes or 54.4 megabytes.
What is the bug?
For larger files, the ransomware will then store the number of blocks that were encrypted next the 'HERMES' file marker in the footer. According to Emsisoft CTO Fabian Wosar, the bug in the Ryuk decryptor miscalculates the size of the footer in large files due to the variable nature of the block count. This causes the decryptor to chop certain files before the last byte. For entirely encrypted smaller files, there would not be any block count in the footer.
Though not many files contain data in the last byte of a file and mostly used as padding, some data files such as databases and virtual disk images do get extended till the last byte. These types of files will, therefore, fail to load properly after being decrypted.
Nonetheless, what makes the matters worse is that when the Ryuk decryptor thinks it correctly decrypted a file, it deletes the encrypted version.
Free tip
If, unfortunately, Ryuk strikes your network, make sure to back up all of the encrypted data before performing any decryption, regardless of from where you received the decryptor. It will ensure data safety if a decryptor somehow corrupts it.
Publisher