Enterprise Ransomware Recovery

Ryuk Ransomware Data Recovery

Ryuk uses AES-256 symmetric encryption wrapped with RSA-2048 public keys. Breaking that cryptography is not feasible. Recovery depends on three vectors: files the malware skipped by size or extension, deleted Volume Shadow Copies that persist on mechanical drive platters, and hex-level repair of databases corrupted by Ryuk's own flawed decryptor.

Start Emergency Assessment Ransomware Hub

Write-Blocked Forensic Imaging

Zero contact with live network

No Data, No Fee

Guarantee

2.49M+

Subscribers

4.9

1,837+ Google Reviews

Since 2008

Established

Repairs on Video

Full Transparency

As Featured In

Written by

Founder & Chief Technician

Updated March 16, 2026

How Ryuk Recovery Works

Ryuk encrypts files using AES-256 with per-file keys wrapped by the attacker's RSA-2048 public key. No lab can reverse that math without the private key, and no public decryptor exists for Ryuk. Recovery focuses on extracting data the malware missed: files below the encryption size threshold, deleted pre-encryption copies in unallocated disk sectors, and Volume Shadow Copy remnants on mechanical hard drives. We image every drive offline using hardware write-blockers and PC-3000, then work from cloned images to preserve all recoverable evidence.

Ryuk Technical Profile

Ryuk first appeared in August 2018, derived from the HERMES ransomware codebase attributed to the Lazarus Group. The WIZARD SPIDER threat group (also behind TrickBot and Conti) operated Ryuk as a "big game hunting" tool: manually deployed against high-value targets after weeks of network reconnaissance. Unlike mass-distribution ransomware, each Ryuk deployment was customized for the victim's infrastructure.

Encryption Model: Three-tier key hierarchy: a global RSA-2048 key pair controlled by the attacker, a per-victim RSA key pair generated at deployment, and per-file AES-256 symmetric keys generated via the Windows CryptGenKey API. Each file's AES key is encrypted with the victim's RSA public key and stored in the file footer alongside the HERMES marker string. The victim's RSA private key is encrypted with the global RSA public key and included in the ransom note.
Selective Encryption Strategy: Ryuk does not encrypt the entire disk. It targets files by extension (.docx, .xlsx, .pdf, .pst, .vmdk, .mdf, .bak) and skips system directories (Windows, Boot, ProgramData) to keep the OS bootable for ransom note display. Early variants skipped files smaller than ~1MB entirely. Files larger than 54.4MB (57,000,000 bytes) are only partially encrypted: Ryuk reads the file in chunks, encrypts alternating blocks, and writes back. This partial encryption is where recovery opportunities exist, because unencrypted blocks within large files can contain usable database pages and document fragments.
HERMES Lineage and File Markers: Ryuk-encrypted files carry the HERMES marker string in their footer, a holdover from the original HERMES 2.1 ransomware code. The .ryk extension is appended to each encrypted file. We use the HERMES footer offset to identify which blocks within a partially encrypted file remain in plaintext, enabling targeted extraction of unencrypted database pages without attempting full decryption.

Ryuk Attack Chain

Ryuk is the final payload in a multi-stage intrusion. Understanding the attack timeline helps determine which storage media still contains recoverable data.

Phase	Mechanism	Forensic Artifact	Recovery Implication
Initial Access	Emotet or TrickBot phishing payload; exploited RDP; BazarLoader in later campaigns	Event Log 4624/4625, Prefetch files, email gateway logs	Drives not connected during initial compromise often contain clean pre-attack backups
Lateral Movement	PsExec remote execution, WMI command dispatch, Cobalt Strike beacons, GPO deployment to domain-joined machines	SMB connection logs, scheduled task creation events, GPO modification timestamps	Air-gapped backups and isolated network segments may be entirely unaffected
Defense Neutralization	Kills 180+ services and 40+ processes: antivirus, SQL Server, Exchange, backup agents (Veeam, Acronis)	Service Control Manager events, process termination logs	Killed backup agents may have left partial backup files on disk that escaped encryption
Shadow Copy Deletion	`vssadmin.exe Delete Shadows /all /quiet` and `wmic shadowcopy delete`	VSS catalog entries, event ID 8224	Deleted shadow copies persist on mechanical HDD platters until overwritten; raw sector scan can recover them
Encryption	AES-256 per-file encryption with RSA-2048 key wrapping; HERMES footer and .ryk extension appended	Ransom notes (RyukReadMe.html), .ryk files, HERMES footer bytes	Partial encryption of large files leaves extractable plaintext blocks; skipped small files remain intact

The 54.4MB Decryptor Truncation Bug

In late 2019, Ryuk operators modified the malware to partially encrypt files larger than 57,000,000 bytes (54.4MB). This sped up attacks against servers with large databases and virtual disk files. The problem: the attacker's own decryptor miscalculates the footer length on these partially encrypted files.

When the decryptor processes a partially encrypted file, it strips one byte too many from the end of the restored file. For Word documents or PDFs, losing one byte may cause no visible damage. For VHD/VHDX virtual disk containers, Oracle .dbf database files, SQL Server .mdf files, and Exchange .edb files, that single missing byte corrupts the internal file structure and prevents the file from mounting.

The decryptor deletes the encrypted original after running.

If you ran the attacker's decryptor without first taking a sector-level clone, the truncated output is the only copy that remains. There is no second chance. Any organization considering running a Ryuk decryptor must first image every affected drive using hardware write-blockers. We perform this imaging using PC-3000 and DeepSpar Disk Imager before any decryption attempt.

For files already truncated by the flawed decryptor, we analyze the hex structure of the damaged footer, calculate the expected byte from the file's internal page structure, and pad the missing data to restore mountability. This hex-level reconstruction is specific to each file type: VHD/VHDX containers use a different footer checksum than Oracle .dbf page chains or SQL Server allocation bitmaps.

Lab Recovery Procedure for Ryuk Cases

Every step uses hardware write-blockers. Infected drives never connect to a network or boot an operating system in our lab.

1
Isolate and Inventory
Disconnect all affected storage from the network. Document every drive (model, serial, capacity) and its role in the storage topology. Photograph server bays and NAS configurations before removing drives. Do not power on any drive that was connected during the attack until it is attached to a write-blocker.
2
Write-Blocked Forensic Cloning
Each drive is connected to PC-3000 or DeepSpar Disk Imager through hardware write-blockers. We create sector-by-sector clones, preserving unallocated space where deleted files and shadow copies reside. On RAID arrays, each member drive is imaged individually. We never allow the controller to initiate a rebuild.
3
Identify Encryption Scope
We parse the cloned image for HERMES footer markers and .ryk extensions to map which files were fully encrypted, partially encrypted, or skipped entirely. Files below the size threshold often include configuration files, small databases, and application settings that aid in system reconstruction even when large data files are encrypted.
4
Raw Sector Extraction
On mechanical hard drives, deleted files (including pre-encryption versions and Volume Shadow Copies) persist in unallocated sectors until overwritten. We scan the full disk image at the sector level for NTFS MFT remnants, VSS catalog entries, and file signatures. Ryuk's shadow copy deletion command removes the VSS catalog but does not zero the underlying snapshot data on the platters.
SSD limitation: TRIM/UNMAP commands cause the SSD controller to zero deleted blocks in the background. On SSDs, the window for recovering pre-encryption remnants from unallocated space is narrow. Imaging must happen before the controller completes garbage collection.
5
Hex-Level Database Repair
If the attacker's decryptor was already run and produced truncated files, we analyze the hex footer of each damaged file type. VHD/VHDX containers require checksum recalculation in the footer block. Oracle .dbf files need the final data block header padded to match the expected page boundary. SQL Server .mdf files require the allocation bitmap to reflect the corrected file length. Each repair is verified by mounting the corrected file in a sandboxed environment before delivery.

SMR Drive Failures During Ryuk Encryption

Ryuk's encryption process forces sustained random and sequential writes across the target drive as it reads, encrypts, and rewrites files. Consumer-grade Shingled Magnetic Recording (SMR) hard drives handle sustained random writes poorly: the internal media cache fills, the translator tables overflow, and the drive either locks up or suffers head damage from the thermal load.

The result: what started as a logical ransomware incident becomes a physical recovery. The drive stops responding before Ryuk finishes encrypting, leaving a mix of encrypted files, partially encrypted files, and untouched files on a drive that no longer functions. Before any data extraction can begin, we perform head swaps and firmware repair on our 0.02µm ULPA-filtered clean bench using PC-3000 to stabilize the drive and rebuild its translator tables.

This physical failure pattern is common on Western Digital SMR models (WD20EFAX, WD40EFAX, WD60EFAX) and Seagate BarraCuda models using SMR (ST2000DM008, ST4000DM004) deployed in NAS enclosures and small office servers. If your Ryuk-affected drives are clicking, grinding, or not spinning, the encryption may have caused hardware damage that requires physical recovery ($1,200 to $1,500 for head swaps) before we can image and extract data.

What No Lab Can Do

Break AES-256 or RSA-2048 encryption without the private key. No mathematical shortcut exists.
Decrypt Ryuk-encrypted files without the attacker's private key. No public decryptor has been released for any Ryuk variant.
Recover deleted file remnants from SSDs where TRIM has zeroed the blocks.
Reverse truncation damage from the Ryuk decryptor if no sector-level clone was taken before the decryptor ran.
Guarantee 100% file recovery from a fully encrypted volume where no shadow copies or skipped files remain.

Any company claiming guaranteed Ryuk decryption without the private key is either paying the ransom on your behalf (and billing you for it) or fabricating their capabilities.

Who Ryuk Targeted

Ryuk operators selected victims based on perceived ability to pay and urgency of data access. Three sectors were disproportionately affected between 2018 and 2023.

Healthcare

Hospitals and health systems were primary targets because patient care depends on immediate access to EHR, PACS imaging, and pharmacy systems. Universal Health Services (400 facilities) was hit in September 2020, forcing clinicians to paper records for weeks. Ryuk operators exploited the life-safety urgency to demand higher ransoms.

Healthcare data recovery

Municipalities

City and county governments were targeted for their combination of legacy infrastructure, limited IT budgets, and public accountability pressure. The City of New Orleans declared a state of emergency after a Ryuk attack in December 2019. Jackson County, Georgia paid $400,000 in ransom after Ryuk encrypted its court and public safety systems.

Education

School districts and universities were targeted for the same reasons as municipalities: flat networks, underfunded IT, and pressure to restore access for students and staff. Lincoln County School District (Mississippi) and Baltimore County Public Schools both experienced Ryuk attacks that disrupted operations for weeks.

Education data recovery

Ransomware Recovery Pricing

Ransomware recovery pricing follows our standard hard drive recovery tiers. Cost depends on the physical condition of your drives, not the ransomware variant. A healthy drive that needs imaging and sector scanning falls at the lower end. A drive with head damage from SMR overload during encryption requires physical repair first and falls at the higher end. Our no data, no fee guarantee applies to all ransomware cases.

Service Tier	Price	Description
Simple CopyLow complexity	$100	Your drive works, you just need the data moved off it Functional drive; data transfer to new media Rush available: +$100
File System RecoveryLow complexity	From $250	Your drive isn't recognized by your computer, but it's not making unusual sounds File system corruption. Accessible with professional recovery software but not by the OS Starting price; final depends on complexity
Firmware RepairMedium complexity – PC-3000 required	$600–$900	Your drive is completely inaccessible. It may be detected but shows the wrong size or won't respond Firmware corruption: ROM, modules, or translator tables corrupted; requires PC-3000 terminal access Standard drives at lower end; high-density drives at higher end
Head SwapHigh complexity – clean bench surgery50% deposit	$1,200–$1,500	Your drive is clicking, beeping, or won't spin. The internal read/write heads have failed Head stack assembly failure. Transplanting heads from a matching donor drive on a clean bench 50% deposit required. Donor parts are consumed in the repair
Surface / Platter DamageHigh complexity – clean bench surgery50% deposit	$2,000	Your drive was dropped, has visible damage, or a head crash scraped the platters Platter scoring or contamination. Requires platter cleaning and head swap 50% deposit required. Donor parts are consumed in the repair. Most difficult recovery type.

Hardware Repair vs. Software Locks

Our "no data, no fee" policy applies to hardware recovery. We do not bill for unsuccessful physical repairs. If we replace a hard drive read/write head assembly or repair a liquid-damaged logic board to a bootable state, the hardware repair is complete and standard rates apply. If data remains inaccessible due to user-configured software locks, a forgotten passcode, or a remote wipe command, the physical repair is still billable. We cannot bypass user encryption or activation locks.

All tiers: Free evaluation and firm quote before any paid work. No data, no fee on simple copy, file system, and firmware tiers. Head swap and surface damage require a 50% deposit because donor parts are consumed in the attempt.

Target drive: The destination drive we copy recovered data onto. You can supply your own or we provide one at cost. For ultra-high-capacity drives (20TB and above), the target drive costs approximately $400+ due to the large media required. All prices are plus applicable tax.

Data Recovery Standards & Verification

Our Austin lab operates on a transparency-first model. We use industry-standard recovery tools, including PC-3000 and DeepSpar, combined with strict environmental controls to make sure your hard drive is handled safely and properly. This approach allows us to serve clients nationwide with consistent technical standards.

Validated Clean Zone

Open-drive work is performed in a ULPA-filtered laminar-flow bench, validated to 0.02 µm particle count, verified using TSI P-Trak instrumentation.

Transparent History

Serving clients nationwide via mail-in service since 2008. Our lead engineer holds PC-3000 and HEX Akademia certifications for hard drive firmware repair and mechanical recovery.

Media Coverage

Our repair work has been covered by The Wall Street Journal and Business Insider, with CBC News reporting on our pricing transparency. Louis Rossmann has testified in Right to Repair hearings in multiple states and founded the Repair Preservation Group.

Aligned Incentives

Our "No Data, No Charge" policy means we assume the risk of the recovery attempt, not the client.

Technical Oversight

Louis Rossmann

Louis Rossmann's well trained staff review our lab protocols to ensure technical accuracy and honest service. Since 2008, his focus has been on clear technical communication and accurate diagnostics rather than sales-driven explanations.

We believe in proving standards rather than just stating them. We use TSI P-Trak instrumentation to verify that clean-air benchmarks are met before any drive is opened.

See our clean bench validation data and particle test video

Ryuk Recovery Questions

Can Ryuk-encrypted files be recovered without paying the ransom?

In many cases, partial recovery is possible. Ryuk selectively encrypts files by extension and skips files smaller than a configurable threshold (often 1MB in early variants). We image all drives offline using hardware write-blockers, then scan raw sectors for unencrypted remnants: files the malware skipped, deleted Volume Shadow Copies on mechanical HDDs, and temporary copies left by applications. No free public decryptor exists for Ryuk; unlike LockBit, no law enforcement takedown has released Ryuk private keys.

What is the Ryuk decryptor 54.4MB truncation bug?

Ryuk partially encrypts files larger than 54.4MB (57,000,000 bytes) to speed up the attack. The threat actor's own decryptor miscalculates the footer length on these partially encrypted files and truncates the final byte during restoration. For standard documents, losing one byte is cosmetically harmless. For VHD/VHDX virtual disk containers, Oracle database files, and SQL Server MDF files, that missing byte corrupts the file structure and prevents mounting. The decryptor also deletes the original encrypted file after running, so if you did not take a bit-level clone first, the truncated output is all that remains.

Our hospital was hit by Ryuk. Can you recover patient records?

We recover data from Ryuk-compromised hospital storage by imaging every affected drive offline. Ryuk operators specifically targeted healthcare organizations between 2018 and 2023 because of their high willingness to pay. Our process: write-blocked cloning of each drive via PC-3000 or DeepSpar, raw sector scanning for unencrypted EHR database fragments and Volume Shadow Copies, and hex-level repair of any files corrupted by the 54.4MB decryptor bug. We handle chain-of-custody documentation for any recovery that may feed into law enforcement proceedings.

Ryuk encrypted our server RAID array. What is the recovery process?

We clone each RAID member drive individually using write-blocked PC-3000 and DeepSpar hardware. We reconstruct the virtual array offline: calculating stripe size, parity rotation, and sector alignment from the cloned controller metadata. We never allow the RAID controller to initiate a rebuild, which would overwrite recoverable data with recalculated parity. Once the virtual volume is assembled, we scan it for unencrypted slack space, skipped files, and shadow copy remnants.

Our drives started clicking after the Ryuk attack. What happened?

Ryuk's encryption process forces sustained random and sequential writes across the entire drive. On consumer-grade Shingled Magnetic Recording (SMR) hard drives, this sustained write load overwhelms the drive's internal media cache and translator tables. The result: head crashes, translator corruption, or firmware lockups that turn a logical ransomware incident into a physical recovery. We perform head swaps and firmware repair on our ULPA-filtered clean bench using PC-3000 to stabilize the drive before any decryption or sector scanning can begin.

Related Services

Ransomware Recovery

Parent hub for all ransomware strains

LockBit Recovery

LockBit 3.0 offline imaging and Operation Cronos keys

Healthcare Data Recovery

Hospital and health system storage recovery

Education Data Recovery

School district and university systems

RAID Data Recovery

Multi-drive array reconstruction

Forensic Data Recovery

Evidence-grade chain of custody

Ryuk Hit Your Network?

Send us the affected drives. We image offline, scan raw sectors for unencrypted data, and repair databases truncated by the flawed decryptor. No ransom payment. No data, no fee.