[BreachExchange] Ryuk Ransomware Decryptor Is Broken, Could Lead to Data Loss

Destry Winant destry at riskbasedsecurity.com
Thu Dec 12 10:06:57 EST 2019


Due to recent changes in the Ryuk Ransomware encryption process, a bug
in the decryptor could lead to data loss in large files.

Ryuk is a ransomware infection known to target the enterprise or govt
agencies by gaining access to their networks and then encrypting as
many computers as possible. The attackers then demand large ransoms,
sometimes in the millions, in order to receive a decryptor for their

According to antivirus and security firm Emsisoft, Ryuk was recently
modified so that it does not encrypt the entire file if it is larger
than than 57,000,000 bytes or 54.4 megabytes. This is done to prevent
the encryption process from taking too long, which could allow victims
to more readily detect that the ransomware was running.

Instead the decryptor will partially encrypt the file by encrypting a
certain number of 1,000,000 byte blocks of data, up to a hard maximum
of 2,000.  You can see the formula Ryuk uses to compute the amount of
blocks it will encrypt below.

For a large file, the ransomware will then store the number of blocks
that were encrypted next the 'HERMES' file marker in the footer. For
example, the encrypted file below had 112 1 million-byte blocks

Smaller files that are entirely encrypted, though, will not contain a
block count in the footer.

Emsisoft CTO Fabian Wosar told BleepingComputer that a bug in the Ryuk
decryptor is causing the size of the footer in large files to not be
properly calculated due to the variable nature of the block count.

This causes the decryptor to truncate certain files before the last byte.

Why this is bad

While many files do not contain data in the last byte of a file and
it's mostly used as padding, some data files such as databases and
virtual disk images do utilize the last byte.  These types of files
will therefore not load properly after being decrypted.

"However, a lot of virtual disk type files like VHD/VHDX as well as a
lot of database files like Oracle database files will store important
information in that last byte and files damaged this way will fail to
load properly after they are decrypted."

To make matters worse, when the Ryuk decryptor thinks it correctly
decrypted a file, it will delete the encrypted version.

Since the decryptor thinks it is decrypting these large files
correctly, even when it isn't, it will also decrypt the encrypted
version. This make it harder to recover these files after running the

For those who are having issues with large files, Emsisoft offers a
paid service where they will create a custom decryptor that does not
contain this bug. Victims who need this assistance can request at
ryukhelp at emsisoft.com.

Furthermore, all Ryuk victims should be sure to backup all of their
encrypted data before performing any decryption, regardless of where
you received the decryptor.

This will protect your data in the event that a decryptor corrupts it.

More information about the BreachExchange mailing list