Warning! Ryuk Decryptor Can't Promise Full Recovery

The Ryuk ransomware has become notorious in the past several years, raking in hundreds of millions in ransom payments for its creators. The Ryuk ransomware has targeted both private and public sectors, encrypting files on the infected network with a combination of AES and RSA.

One of the reasons for the persistent success of the Ryuk ransomware is that its creators haven't stopped improving and evolving it throughout the years. Just over the past year, we have seen multiple new features being added to the Ryuk ransomware, making it into an even bigger threat than it previously was.

One of the new features that haven't been so well-documented is Ryuk's capability to encrypt files partially. Whenever the Ryuk ransomware comes across a file that is larger than 54.4 megabytes, it will encrypt only certain parts of it, in an attempt to save time and remain unnoticed before encrypting as much data as possible. Files that are encrypted in such a way will have a slightly-different footer at the end, where the RSA-encrypted AES key used for the encryption is usually stored.

There were some changes made to how the length of the footer is calculated in one of the most recent versions of the Ryuk ransomware. As a result of this, the decryptor that the threat actors send out to victims who have paid the ransom will truncate files, cutting off a byte in the decryption process. This might not be an issue, depending on the type of the file type. Sometimes, these last bytes are just padding and contain no data. However, Oracle database files and certain virtual disk type files, like VHD/VHDX, store essential data in that last byte, making the files unusable, even after decryption.

What's even worse is that you might never recover certain files, even after you pay the ransom. That's because the decryptor provided by the threat actors behind the Ryuk ransomware deletes the encrypted versions of the files after it has "decrypted" them, meaning you might be stuck with a broken file and no way to recover it. One of the ways to avoid that is to not negotiate with cyber crooks and find another way to decrypt your files. In any case, before attempting any recovery, it would be a good idea to make backups of the encrypted data, in case something goes wrong during the decryption process.