A recent update to the Ryuk ransomware has led to damage to large files that Emsisoft security researches warn that the malware has crypted.
Initially discovered last year, the ransomware Ryuk has been used in public as well as private attacks and is typically used by exploiting existing malware in the target networks.
Emsisoft says that the malware encrypts data using a combination of RSA and AES and has already generated hundreds of millions in revenue for its operators.
Given the successes recorded, Ryuk operators continued to improve their malware and added many new features to it in the past year alone, including partial file encryption.
The function is useful when files of greater than 57,000,000 bytes (or 54.4 megabytes are found), because the malware only encrypts those sections in order to speed up encryption and perform encryption, in order to avoid detection.
Ryuk uses the file marker HERMES which typically stores the end of the file with RSA encrypted AES key. So when only partially encrypted, the file shows a slightly different footer than usual.
These files also show a clearly visible counter of how many 1,000,000 bytes were encrypted (this indicator is missing for fully encrypted files).
One of Ryuk’s latest versions includes changes in the way the footer length is calculated which lead to the decryptor truncating files by cutting one additional byte when decrypting.
Depending on the exact file type, this could cause problems. Emsisoft clarified that in some situations, the byte was unused, but many VHD / VHDX files and server files store important information in that last byte, preventing the files from loading properly after decryption.
The question, the security researchers say, probably affects users who have been victims of Ryuk in the last two weeks. To check if they’re affected, users can simply check if they have non-loading files.
Emsisoft says it can help these victims, but only if they have copies or backups of crypted data (usually the Ryuk cryptor removes files that have been correctly decrypted).
“Similarly if you have paid for a decryptor but still have to use it, either back up your files or contact us before running it. Our tool will allow you to retrieve your data safely, while the tool provided by the bad players will not.
However, Emsisoft’s Decryption Tool does not eliminate the need to pay ransoms, but it simply replaces the supplied criminal tool.