Don't pay off Ryuk ransomware, warn infoseccers: Its creators borked the decryptor

Oracle DBs particularly vulnerable to fake decryptions, say researchers

If you're an Oracle database user and are tempted to pay off a Ryuk ransomware infection to get your files back, for pity's sake, don't. The criminals behind it have broken their own decryptor, meaning nobody will be able to unlock files scrambled by the malicious software.

This is according to infosec biz Emsisoft, which warned the latest evolution of Ryuk's decryptor truncates a file footer used by the ransomware to check whether or not a particular file has been fully or partially encrypted.

"In one of the latest versions of Ryuk," said Emsisoft in a recent blog post, "changes were made to the way the length of the footer is calculated. As a result, the decryptor provided by the Ryuk authors will truncate files, cutting off one too many bytes in the process of decrypting the file."

If you're lucky, that final byte which gets hacked off was unused. If you're unlucky, however, your virtual disk file (VHD/VHDX) or your Oracle database file "will store important information in that last byte", meaning the file will fail to load properly after decryption.

Should you have acquired a Ryuk ransomware infection within the last two weeks (ie, the latest strain), don't be tempted to take the easy way out and pay off the crooks. It won't work and you'll be left empty-handed and out of pocket.

Emsisoft, which, among other things, sells commercial ransomware recovery services, said in a blog post: "If you've paid for a decryptor but have yet to use it, either back up your files before running it or get in touch with us instead."

The firm added: "prior to running any ransomware decryptor – whether it was supplied by a bad actor or by a security company – be sure to back up the encrypted data first. Should the tool not work as expected, you'll be able to try again."

Ryuk is a particularly horrible software nasty. It works by finding and encrypting network drives as well as wiping Windows volume snapshots to prevent the use of Windows System Restore points as an easy recovery method, as we explained when reporting how an American local council recovered from a Ryuk infection without paying the ransom.

The ransomware is thought to have originated in North Korea, forming part of the well-documented means by which the pariah state continues acquiring cash with which to keep functioning in the face of heavy and ongoing international sanctions.

Victims who pay the ransoms are very likely to be funding the North Korean hereditary dictatorship, which actively practises all kinds of organised, deliberate barbarity. ®

Similar topics

Other stories you might like

Biting the hand that feeds IT © 1998–2021