The security company Emsisoft is warning that recent versions of Ryuk’s decryptor may not successfully recover data after paying the criminals for the tool. Ryuk is particularly nasty ransomware typically known to infect high-profile targets. There are some instances of stand-alone infections, but it often comes from Emotet installing Trickbot, which in turn may eventually drop Ryuk. One of the lesser documented features according to Emsisoft is Ryuk’s decision to partially encrypt files when the file size is greater than 54.4 megabytes to keep encryption fast and reach as many files as possible before discovery. Once a file is encrypted, Ryuk adds file markers to each file to indicate it as such. When a file is only partially encrypted, these markers are slightly different. The decryptor now needs to know how many “blocks” of data have been encrypted so it doesn’t attempt to change data that was left untouched. Recent versions of the decryptor tool seem to have changed how this is calculated, causing the tool to leave out the last byte of a file. Depending on the type of file, this could be a complete non-issue. Other files may store important data near the end of a file. Without the last byte, applications could be left incapable of using them.
Always keep anti-virus solutions up to date. When deploying security solutions for the enterprise, consider using an EDR (endpoint detection and response) solution side-by-side with AV products. Many forms of ransomware can seek out network-attached drives when encrypting files. Backups should be updated periodically and stored offline in a secure location. Recent victims of Ryuk (or any ransomware) who choose to pay the ransom should create backups of all encrypted files before running decryptors received after payment. Mistakes made by the criminals could cause permanent data loss, and many ransomware decryptors provided by threat actors automatically delete the encrypted files when done.