Emsisoft Specialists claimthat they found a mistake in the code of the famous ryuk cryptographer, which today is one of the most active malware on the market. Because of this bug, the restoration of certain types of files becomes impossible even after victims pay the ransom.
Researchers explain that the problem is that recently Ryuk began to act differently than usual. If it encounters a file that is larger than 57,000,000 bytes (or 54.4 MB) in size, it only encrypts certain parts of it to save time. As a result, the malware began to truncate bytes at the end of each file it “works with”. Although the last byte in most files is usually not used, for some file extensions these bytes contain important information that, when deleted, permanently corrupts the data, preventing the file from opening.
“Many files such as virtual disks, such as VHD / VHDX, as well as many database files, such as Oracle, store important information in this last byte, and files damaged in this way will not be able to load properly after decryption,” experts write.
Moreover, the researchers claim that they can correct the error in the decoder, but there is another problem that prevents them from doing this. The fact is that during operation, the Ryuk operator decryptor deletes the original encrypted files, which means that victims will not be able to restart the decryption operation using the tool fixed by experts.
In this regard, the Emsisoft team strongly recommends that the victims of Malvari create a backup copy of the encrypted files, in case the criminals decryptor destroys the original files. Researchers hope to disseminate the bug information to Ryuk as widely as possible so that affected organizations can avoid data loss.