Emsisoft: Ryuk ransomware is even more dangerous, thanks to a bug in the decryptor. it truncates files, cutting off one too many bytes in the process. This may cause major issues
Ryuk ransomware is even more dangerous, thanks to a bug in the malware’s decryptor, that cybercrime send to victims after they paid the “fee”. It has been discovered by Emsisoft cyber security experts. It causes an incomplete recovery of some types of files, leading to data loss, even if the victim paid the ransom demand. According the researchers, the decryptor truncates one byte from the end of each file it recover. In the best case scenario, the byte cut off by the tool was unused and just some slack space at the end created by aligning the file towards certain file size boundaries. However, a lot of virtual disk type files like VHD/VHDX as well as a lot of database files like Oracle database files will store important information in that last byte and files damaged this way will fail to load properly after they are decrypted.
The cyber security experts: One of the last features of the malware is the capability to partially encrypt files
According to cyber security experts, Ryuk has plagued the public and private sectors alike over the past years, generating hundreds of millions of ransom revenues for the cybercrime behind it. Usually deployed via an existing malware infection within a target’s network, the ransomware wreaks havoc on any system that can be accessed, encrypting data using a combination of RSA and AES. Furthermore, the malicious code is continuously improved with new features. One of them is exactly the capability to partially encrypt files. Essentially, whenever it encounters a file that is larger than 57,000,000 bytes (or 54.4 megabytes) it will only encrypt certain parts of it. This in order to save time and allow it to work its way through the data as quickly as possible before anyone notices.