Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

A bug in the decryptor for the Ryuk ransomware could cause data loss

Emsisoft warns that a bug in the decrypter app of the Ryuk ransomware could damage large files making it impossible to decrypt them. Experts from Antivirus maker Emsisoft discovered a bug in the decrypter app of the infamous Ryuk ransomware. The app is provided by Ryuk operators to victims to recover their files once they […]

Ryuk

Emsisoft warns that a bug in the decrypter app of the Ryuk ransomware could damage large files making it impossible to decrypt them.

Experts from Antivirus maker Emsisoft discovered a bug in the decrypter app of the infamous Ryuk ransomware. The app is provided by Ryuk operators to victims to recover their files once they have paid the ransom.

The bug makes it impossible to completely recover some types of files, causing data loss to the victims that have paid the ransom to the operators.

The decrypter truncates one byte from the end of each file it decrypts, that for some file types contain information that if it is removed will cause the file will be permanently corrupted.

“Essentially, whenever Ryuk encounters a file that is larger than 57,000,000 bytes (or 54.4 megabytes) it will only encrypt certain parts of it in order to save time and allow it to work its way through the data as quickly as possible before anyone notices.” reads the post published by Emsisoft.

“The code used by Ryuk to determine how much of a file to encrypt if the file exceeds a size limit of 57,000,000 bytes. Files that are only partially encrypted will show a slightly different-than-normal footer at the end of the file, where Hermes usually stores the RSA-encrypted AES key that was used to encrypt the file’s content.”

Experts pointed out that virtual disk type files like VHD/VHDX or database files like Oracle database files contains important data in that last byte.

Emsisoft experts announced that they are able to fix the bug in the Ryuk decrypter.

The researchers explained that the Ryuk decryptor also deletes the original encrypted files, this means that if victims have executed the flawed version cannot run the fixed one again to decrypt the files.

For this reason, Emsisoft experts recommend victims to create a backup copy of their encrypted files.

“Please understand that this will only work if you still have copies or backups of your encrypted data, as the Ryuk decryptor will usually delete files it thinks were decrypted properly. Similarly, if you’ve paid for a decryptor but have yet to use it, don’t.” continues the post. “Please get in touch with us instead. Our tool will enable you to safely recover your data whereas the tool supplied by the bad actors will not.”

Emsisoft said victims can reach out via ryukhelp@emsisoft.com to have its analysts fix the decrypter they received from the Ryuk gang. However, while Emsisoft is the company who released the most “free ransomware decrypters” in the past, this is a paid service, as it implies its analysts working to correct each decrypter in part, a very time-consuming task.

Ryuk is one of today’s most active ransomware strains. The ransomware is deployed by criminal gangs on enterprise networks using a previous malware infection as an entry point — usually via the Emotet or TrickBot trojans.

The Ryuk ransomware was involved in a long string of attacks targeting cities, hospitals, and organizations worldwide.

In September New Bedford city was infected with Ryuk ransomware, but did not pay $5.3M ransom. In April, systems at Stuart City were infected by the same Ryuk ransomware, in early March, Jackson County, Georgia, was hit by the same ransomware that paralyzed the government activity until officials decided to pay a $400,000 ransom to decrypt the files.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Ryuk ransomware, decryptor)

[adrotate banner=”5″]

[adrotate banner=”13″]