The hacking crew behind Ryuk, the ransomware used in cyber attacks on government agencies, healthcare, schools and private companies, appears to be peddling a broken decryption tool to victims, according to security provider Emsisoft.
The buggy decryptor causes data to be corrupted and/or lost when victims attempt to decrypt and restore files, even if a ransom demand has been met, Emsisoft said in a blog post. The company said it has developed an alternative tool for organizations to use to recover their data without loss or corruption.
Ryuk was first discovered in August 2018. The ransomware often goes undetected for days or months after an initial infection, and it enables a threat actor to identify and attack an organization’s critical network systems. A recent Ryuk ransomware attack forced three Alabama hospitals to turn away all but the most critical new patients. While Ryuk was used to encrypt files in that extortion raid, no patient or employee data appeared to have been misused or removed. (Note: Click here for MSSP Alert's full Ryuk coverage).
“Ryuk has plagued the public and private sectors alike over the past years, generating hundreds of millions of ransom revenues for the criminals behind it,” Emsisoft wrote. “Usually deployed via an existing malware infection within a target’s network, Ryuk wreaks havoc on any system that can be accessed .”
One of the less documented features of Ryuk is its ability to partially encrypt files. Whenever Ryuk encounters a file that is larger than 54.4 megabytes it will only encrypt certain parts of it, ostensibly to “work its way through the data as quickly as possible before anyone notices.” Partially encrypted files will show a slightly different footer at the end of the file. The net net is the decryptor the Ryuk hackers provide cuts off one too many bytes in the process of decrypting the file,” Emsisoft wrote.
The flawed decryptor doesn’t always cause problems for victims needing their data returned intact, the researchers said. “In the best-case scenario, the byte that was cut off by the buggy decryptor was unused and just some slack space at the end created by aligning the file towards certain file size boundaries.”
Emsisoft said its decryptor is meant for organizations ransacked by ransomware and unable to retrieve their data despite paying the ransom, trying to make a buggy decryptor work or dealing with a recalcitrant perpetrator, all of which are increasingly likely outcomes in recent cyber strikes.
The company is cautioning Ryuk victims hit within the last two weeks and have files which will not load, to use its decryptor. “Please understand that this will only work if you still have copies or backups of your encrypted data, as the Ryuk decryptor will usually delete files it thinks were decrypted properly,” Emsisoft said. “Our tool will enable you to safely recover your data whereas the tool supplied by the bad actors will not.”
Emsisoft’s last piece of advice for victimized users? Before running any ransomware decryptor, back up the encrypted data first. That way if the tool doesn’t perform as expected you can do it again.