Security firm Emsisoft has warned that a recent update made by cyber criminals to the Ryuk ransomware decryptor has introduced a flaw that results in large encrypted files getting damaged during the decryption process.
Because of the flaw in the Ryuk ransomware decryptor, organisations whose files have been encrypted by hackers using the ransomware may not get their files back even if they pay ransom to hackers to regain control over their files.
The Ryuk ransomware decryptor is provided by hackers to organisations after a ransom is paid so that organisations can decrypt their files. Recently, hackers who created the decrypter made certain updates to the software that made it capable of truncating files by cutting off certain bytes towards the end, thereby limiting the size of large files.
Affected organisations should avoid using the Ryuk ransomware decryptor
“Depending on the exact file type, this may or may not cause major issues. In the best-case scenario, the byte that was cut off by the buggy decryptor was unused and just some slack space at the end created by aligning the file towards certain file size boundaries.
“However, a lot of virtual disk type files like VHD/VHDX as well as a lot of database files like Oracle database files will store important information in that last byte and files damaged this way will fail to load properly after they are decrypted,” said researchers at Emsisoft.
They said that in order to avoid losing their important files permanently, organisations should make sure to back up encrypted files before running the Ryuk ransomware decryptor as the decrypter may delete any files it thinks have been deleted properly.
Emsisoft is also offering a decryption software that can help organisations decrypt encrypted files after a ransom has been paid. The decryption software is a replacement for the flawed Ryuk ransomware decryptor and will ensure that large files such as Oracle database files will be downloaded properly.
Ryuk ransomware used extensively against organisations since 2018
Hackers have extensively used the Ryuk ransomware since 2018 to target a number of companies in the United States and the rest of the world. Once of the earliest instances of the ransomware’s deployment was discovered when hackers targeted the Los Angeles Times’ Olympic printing plant in downtown Los Angeles, affecting distributions of newspapers from leading U.S. media organisations such as The Los Angeles Times, The New York Times, the Wall Street Journal, Chicago Tribune, and Baltimore Sun.
Last month, a Ryuk ransomware attack launched by Russian hackers targeting a cloud data hosting company resulted in as many as 110 hospitals being unable to access patient medical records and medication administration data that were stored in the company’s servers.
The hackers who took control of the company’s servers following the ransomware attack demanded $14 million (£10.88 million) in exchange for returning the control over the hijacked servers but the company couldn’t afford to pay that amount.
Alex Holden, the head of security firm Hold Security, told Milwaukee Journal Sentinel that hackers behind the Ryuk ransomware attack on Virtual Care Provider Inc. slowly gained a foothold into the company’s internal systems over the past 14 months by sending phishing emails to employees that contained malicious attachments.
Once employees started clicking on these emails, the hackers started taking over computer systems bit-by-bit, took down antivirus software, and finally gained access to administrative accounts using which they hijacked the entire network.