The security company Emsisoft is warning that recent versions of Ryuk’s decryptor may not successfully recover data after paying the criminals for the tool. Ryuk is particularly nasty ransomware typically known to infect high-profile targets. There are some instances of stand-alone infections, but it often comes from Emotet installing Trickbot, which in turn may eventually drop Ryuk. One of the lesser documented features according to Emsisoft is Ryuk’s decision to partially encrypt files when the file size is greater than 54.4 megabytes to keep encryption fast and reach as many files as possible before discovery. Once a file is encrypted, Ryuk adds file markers to each file to indicate it as such. When a file is only partially encrypted, these markers are slightly different. The decryptor now needs to know how many “blocks” of data have been encrypted so it doesn’t attempt to change data that was left untouched. Recent versions of the decryptor tool seem to have changed how this is calculated, causing the tool to leave out the last byte of a file. Depending on the type of file, this could be a complete non-issue. Other files may store important data near the end of a file. Without the last byte, applications could be left incapable of using them.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased