{
	"id": "205fc2b0-8c8c-4882-892e-de66f572b22a",
	"created_at": "2026-04-06T00:14:40.436121Z",
	"updated_at": "2026-04-10T13:12:19.682953Z",
	"deleted_at": null,
	"sha1_hash": "d25324db65c7d7f94865efb42f524645833f74f0",
	"title": "Caution! Ryuk Ransomware decryptor damages larger files, even if you pay",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 446495,
	"plain_text": "Caution! Ryuk Ransomware decryptor damages larger files, even if\r\nyou pay\r\nBy Emsisoft Malware Lab\r\nPublished: 2019-12-09 · Archived: 2026-04-05 15:17:55 UTC\r\nRyuk has plagued the public and private sectors alike over the past years, generating hundreds of millions of\r\nransom revenues for the criminals behind it. Usually deployed via an existing malware infection within a target’s\r\nnetwork, Ryuk wreaks havoc on any system that can be accessed, encrypting data using a combination of RSA and\r\nAES.\r\nJust because Ryuk has been hugely successful, doesn’t mean its creators stopped evolving and improving it,\r\nhowever. So it comes to no surprise that we have seen multiple new features added to Ryuk over the past year.\r\nOne of these features that isn’t well documented is its capability to partially encrypt files. Essentially, whenever\r\nRyuk encounters a file that is larger than 57,000,000 bytes (or 54.4 megabytes) it will only encrypt certain parts of\r\nit in order to save time and allow it to work its way through the data as quickly as possible before anyone notices.\r\nhttps://blog.emsisoft.com/en/35023/bug-in-latest-ryuk-decryptor-may-cause-data-loss/\r\nPage 1 of 3\n\nThe code used by Ryuk to determine how much of a file to encrypt if the file exceeds a size limit of 57,000,000\r\nbytes\r\nFiles that are only partially encrypted will show a slightly different-than-normal footer at the end of the file, where\r\nHermes usually stores the RSA-encrypted AES key that was used to encrypt the file’s content. In addition to the\r\nHERMES files marker used by Ryuk, you will also find a clearly visible counter of how many 1,000,000 bytes\r\nblocks have been encrypted for this file. If that indicator is missing, the whole file is considered to be encrypted.\r\nThe extended version of the Ryuk file footer highlighting the number of encrypted blocks for partially encrypted\r\nfiles\r\nIn one of the latest versions of Ryuk, changes were made to the way the length of the footer is calculated. As a\r\nresult, the decryptor provided by the Ryuk authors will truncate files, cutting off one too many bytes in the process\r\nof decrypting the file. Depending on the exact file type, this may or may not cause major issues. In the best-case\r\nscenario, the byte that was cut off by the buggy decryptor was unused and just some slack space at the end created\r\nby aligning the file towards certain file size boundaries. However, a lot of virtual disk type files like VHD/VHDX\r\nas well as a lot of database files like Oracle database files will store important information in that last byte and\r\nfiles damaged this way will fail to load properly after they are decrypted.\r\nOne of the services we provide at Emsisoft is to help ransomware victims who paid the ransom to recover their\r\nfiles even if the ransomware authors left them hanging by either being uncooperative or providing tools that do\r\nnot do the job properly, both of which are increasingly common outcomes.\r\nSo if you are a Ryuk victim that was hit within the last two weeks and have files which will not load, please\r\ncontact us so we can provide you with a properly working decryptor. Please understand that this will only work if\r\nyou still have copies or backups of your encrypted data, as the Ryuk decryptor will usually delete files it thinks\r\nwere decrypted properly. Similarly, if you’ve paid for a decryptor but have yet to use it, either back up your files\r\nbefore running it or get in touch with us instead. Our tool will enable you to safely recover your data whereas the\r\ntool supplied by the bad actors will not.\r\nhttps://blog.emsisoft.com/en/35023/bug-in-latest-ryuk-decryptor-may-cause-data-loss/\r\nPage 2 of 3\n\nNote our decryption tool does not remove the need for ransoms to be paid; it is simply a replacement for the\r\ncriminal-supplied tool.\r\nEmsisoft Endpoint Protection: Award-Winning Security Made Simple\r\nExperience effortless next-gen technology. Start Free Trial\r\nA final word of advice: prior to running any ransomware decryptor – whether it was supplied by a bad actor or by\r\na security company – be sure to back up the encrypted data first. Should the tool not work as expected, you’ll be\r\nable to try again.\r\nSource: https://blog.emsisoft.com/en/35023/bug-in-latest-ryuk-decryptor-may-cause-data-loss/\r\nhttps://blog.emsisoft.com/en/35023/bug-in-latest-ryuk-decryptor-may-cause-data-loss/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.emsisoft.com/en/35023/bug-in-latest-ryuk-decryptor-may-cause-data-loss/"
	],
	"report_names": [
		"bug-in-latest-ryuk-decryptor-may-cause-data-loss"
	],
	"threat_actors": [],
	"ts_created_at": 1775434480,
	"ts_updated_at": 1775826739,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d25324db65c7d7f94865efb42f524645833f74f0.pdf",
		"text": "https://archive.orkl.eu/d25324db65c7d7f94865efb42f524645833f74f0.txt",
		"img": "https://archive.orkl.eu/d25324db65c7d7f94865efb42f524645833f74f0.jpg"
	}
}