Ryuk, the ransomware that hackers are using to extort Bitcoin from enterprise users, has been broken by the hackers themselves, meaning that victims have no guarantee of getting their files back once a ransom has been paid. The revelation has led to security companies urging impacted users not to pay the ransom and to avoid using provided decryption tool as they may render files permanently unlockable.
Decryptor bug means #Ryuk victims stuck in ransomware rut https://t.co/0cemer2AhA by @Jeremy_Kirk
POV: @emsisoft @coveware @McAfee_Labs pic.twitter.com/7fiKIvvbtk
— Mathew J Schwartz (@euroinfosec) December 10, 2019
Victims Urged to Refuse Paying Out
Ryuk is a particularly nasty malware that is targeted at large scale networks, with past victims including entire cities such as Lake City in Florida and healthcare cloud internet service provider Virtual Care Provider Inc. Hackers demand huge sums of money in BTC to unlock files, and many victims, such as Lake City, have had no choice but to fork out and get their files back. However, recently hit victims are being urged not to pay out due to the hackers breaking the decryptor that is supposed to unlock the files.
Anti-malware provider Emsisoft stated in a blog post announcing the discovery that anyone in receipt of a decryptor tool should, at the very least, backup what files they can before attempting to unlock them, and anyone who has been affected in the past two weeks should seek help before attempting an unlock or considering paying the ransom, as this is the strain with the broken decryptor.
North Korea Thought to be Behind Ryuk
Emsisoft offers their own decryptor tool which removes the need to use the hackers’ tool, but does not remove the need for the ransom to be paid. The ransomware is thought to have originated in North Korea, forming part of the state-sponsored hacking program carried out by three groups – Lazarus Group, Bluenoroff, and Andariel – which has earned the rogue state in excess of $2 billion.