Ryuk Ransomware Decryptor Is Broken, Could Lead to Data Loss
upstart writes:
Submitted via IRC for chromas
Ryuk Ransomware Decryptor Is Broken, Could Lead to Data Loss
Due to recent changes in the Ryuk Ransomware encryption process, a bug in the decryptor could lead to data loss in large files.
Ryuk is a ransomware infection known to target the enterprise or govt agencies by gaining access to their networks and then encrypting as many computers as possible. The attackers then demand large ransoms, sometimes in the millions, in order to receive a decryptor for their files.
According to antivirus and security firm Emsisoft, Ryuk was recently modified so that it does not encrypt the entire file if it is larger than than 57,000,000 bytes or 54.4 megabytes. This is done to prevent the encryption process from taking too long, which could allow victims to more readily detect that the ransomware was running.
Instead the decryptor will partially encrypt the file by encrypting a certain number of 1,000,000 byte blocks of data, up to a hard maximum of 2,000
For a large file, the ransomware will then store the number of blocks that were encrypted next the 'HERMES' file marker in the footer. For example, the encrypted file below had 112 1 million-byte blocks encrypted.
Smaller files that are entirely encrypted, though, will not contain a block count in the footer.
Emsisoft CTO Fabian Wosar told BleepingComputer that a bug in the Ryuk decryptor is causing the size of the footer in large files to not be properly calculated due to the variable nature of the block count.
This causes the decryptor to truncate certain files before the last byte.
Read more of this story at SoylentNews.