In 2019 alone, at least 3 managed service providers (MSPs) have been attacked by Ryuk ransomware. A Russian-based eCrime group that calls itself “WIZARD SPIDER” has been operating the Ryuk ransomware since August 2018. This group has directed its attacks toward large, enterprise organizations in the hopes of receiving a large ransom sum. Victims of Ryuk ransomware have been using a decryptor to recover their data. However, a bug was recently discovered in the decryptor app. The bug can corrupt certain files, resulting in permanent data loss.
What is Ryuk Ransomware?
Ryuk ransomware is malware derived from existing ransomware known as Hermes. The ransomware reveals its presence in the form of ransomware notes. The ransom demand can vary significantly, based upon the size and value of the MSP. Ransom is demanded in the form of bitcoin (BTC) payment.
Ryuk ransomware can be distributed in several ways. Brute force attacks on remote desktop protocol ports are made. The ransomware is also downloaded by exploited vulnerabilities that have not been patched.
What Does the Decryptor Bug Do?
There is no free decryptor for Ryuk ransomware.
A decryptor for Ryuk ransomware is provided by the Ryuk authors to those who pay the ransom. The decryptor contains the keys that MSPs can use to decrypt their files and recover their data. The cybersecurity firm Emsisoft has issued a warning about a recently discovered bug in the decryptor. The bug in the decryptor app can cause file corruption, that results in data loss.
Recently, the ransomware encryption process was modified. Ryuk ransomware no longer encrypts files larger than 54.4 megabytes. As a result, the decryptor now truncates large files, and loses the last byte of data in the process. This does not present an issue for file types that just contain padding and no data. However, certain file types, including virtual disk files and Oracle database files, use that last byte. Without the last byte, the file will become corrupted, rendering recovery impossible.
In addition, if the decryptor determines that the file has been successfully decrypted, the original encrypted file is deleted, even if decryption has resulted in file corruption. This means that once the decryptor has run, recovery of corrupted files becomes impossible. Therefore, making a copy of all encrypted files before the decryption process is very important.