Sergey Nivens - Fotolia

Ryuk ransomware change breaks decryption tool

The threat actors behind Ryuk ransomware made changes to their code that have made the official decryption tool unreliable, according to security researchers.

Security researchers are warning recent victims of Ryuk ransomware attacks that anyone hit may be supplied with a broken decryption tool if they pay the ransom.

New Zealand antimalware vendor Emsisoft said the Ryuk ransomware authors made changes to their code recently that could prevent files from loading properly after being decrypted. According to a blog post, the issue stems from a feature added to Ryuk in the past year where the ransomware will partially encrypt files.

"Whenever Ryuk encounters a file that is larger than 57,000,000 bytes (or 54.4 megabytes) it will only encrypt certain parts of it in order to save time and allow it to work its way through the data as quickly as possible before anyone notices," Emsisoft Malware Lab researchers wrote in a blog post. "In one of the latest versions of Ryuk, changes were made to the way the length of the footer is calculated. As a result, the decryptor provided by the Ryuk authors will truncate files, cutting off one too many bytes in the process of decrypting the file."

Emsisoft said the bug Ryuk ransomware decryption may not cause issues but could lead to certain file types not being able to load properly. Because of this unreliability, Emsisoft strongly suggests that victims create backups of the encrypted data so decryption can be attempted again if it doesn't work the first time.

Brett Callow, spokesperson for Emsisoft, said those who have been hit with Ryuk ransomware in the past two weeks should contact the company in case they were provided a faulty decryption tool.

"The first faulty decryption tools were spotted four days ago which, given the typical turnaround times for victims to obtain the decryptor, means the infections/encryptions probably occurred about seven to eight days prior," Callow told SearchSecurity.

Emsisoft said it has been able to create a reliable decryption tool for Ryuk ransomware attacks; however, Callow noted that Emsisoft's tool works by extracting "the key from the decryption tool the bad actor supplied (after the ransom was paid) and insert it into our own decryption tool."

This means victims must pay the ransom to the threat actors because the only way to recover files with Emsisoft's tool is with access to the bad actor's key, and as yet no master key for Ryuk has been obtained.

Callow added that "depending on the complexity of the case," Emsisoft may charge for use of its Ryuk decryption tool.

"Unlike our other tools -- which are all completely free and can be freely download from our website or the No More Ransom Project -- this one requires customization in every case," Callow said. "If we do charge, it'd be a modest amount -- $500 tops. Also, we'd never not help a victim who couldn't afford to pay."

According to research released by CrowdStrike earlier this year, Ryuk ransomware had accumulated more than $3.7 million in payments since attacks were first spotted in August 2018. Researchers disagree on who is behind Ryuk, with some saying the evidence points to North Korea, while others say the threat actors appear to be Russian-speaking cybercriminals not affiliated with the Russian government.

Dig Deeper on Threats and vulnerabilities