A bug in the Ryuk ransomware makes data recovery impossible even if the ransom is paid. Who will fix this flaw?

Hundreds of things could go wrong after a ransomware victim pays the money demanded by criminals. Digital forensics specialists from security firm Emsisoft reported the appearance of a bug in the Ryuk ransomware decryption tool (delivered by criminals to victims after they pay the ransom) that causes failures in the file recovery process.

According to the report, this bug causes incomplete recovery of some file types, resulting in permanent loss of encrypted data, even if the victim has paid the ransom to the hackers. 

This is apparently because the decryption tool truncates one byte from the end of each file encrypted with Ryuk. In most cases, this last byte is only filling space, as it has no practical use; however, in some file extensions these bytes include vital information for the integrity of the file. In the event that this byte is deleted or altered, the file will be permanently damaged, which will prevent it from being recovered, digital forensics specialists mention.

In its report, Emsisoft mentions that: “Multiple virtual disk files, such as VHD/VHDX, in addition to database files, such as those employed by Oracle, store important information in the last byte, so if altered by Ryuk decryption tool, their recovery will be incorrect and will not be accessible after decryption”.

Emsisoft claims to have tracked this bug, so it recommends that victims of the Ryuk ransomware that have received the decryption tool consult their specialists in order to be able to fix the flaw and prevent the last byte of their important files from corrupting.

Unfortunately, this is not the only inconvenience faced by ransomware victims. Digital forensic experts mention that, because cybercriminals delete the original version of the encrypted files, the corrected version of this tool will not be useful for those who have already tried to recover their files with the version of the decryptor containing the bug. The only possible solution is for victims to create copies of the encrypted information to use as backup in case their files are destroyed. Using the backup of the encrypted files victims can use the corrected decryption tool without any major mishaps.

International Institute of Cyber Security (IICS) digital forensics specialists mention that Ruyk remains one of the most commonly used ransomware variants by cybercriminals today. To infect a device, threat actors typically resort to using other malware variants, such as TrickBot or Emotet.

Since its emergence a couple of years ago, hundreds, or even thousands of companies around the world have been victims of this infection. Whether they are financial service providers, technology device manufacturers or software vendors, Ryuk is just as effective in infecting their systems as they resort to exploiting a company’s weakest points, which usually are employees without great knowledge of cybersecurity.