Kaspersky cracks Yanluowang ransomware, offers free decryptor

Step one, get some scrambled files back. Steps two through 37...


Kaspersky has found a vulnerability in the Yanluowang ransomware encryption algorithm and, as a result, released a free decryptor tool to help victims of this software nasty recover their files.

Yanluowang, named after a Chinese deity and underworld judge, is a type of ransomware that has been used against financial institutions and other firms in America, Brazil, and Turkey as well as a smaller number of organizations in Sweden and China, Kaspersky said yesterday. The Russian security shop said it found a fatal flaw in the ransomware's encryption system and those afflicted can get a free fix to restore their scrambled data.

Symantec's threat hunters uncovered this Windows ransomware strain in the fall and said unknown fiends have been using it to infect US corporations since at least August 2021.

The cybercriminals usually go after financial institutions, and have also infected companies in manufacturing, IT services, consultancy and engineering sectors, Symantec said in November.

According to Kaspersky's analysis, the malware's functionality includes the ability to terminate virtual machines, processes, and services, the goal being to halt any running databases, email software, browsers, programs working with documents, security tools, backup operations, and shadow copy services.

Yanluowang is executed manually or through a combination of scripts on the infected system. Additionally, it uses the Sosemanuk stream cipher to encrypt files, as well as the RSA-1024 asymmetric algorithm to encrypt its key.

Another notable characteristic of this ransomware is that it divides files: those smaller than 3GB are completely encrypted, and larger files are encrypted in stripes, typically 5MB after every 200MB.

Dangerous, but fixable

However, after analyzing the ransomware, Kaspersky's team found a vulnerability that will allow organizations to decrypt files using the Rannoh decryption tool. They also provide instructions on how to do this.

First, you need at least one original file. And because the ransomware divides files along a 3GB limit, there are certain conditions that must be met:

  • To decrypt small files (less than or equal to 3GB), you need a pair of files with a size of 1024 bytes or more. This is enough to decrypt all other small files.
  • To decrypt big files (more than 3GB), you need a pair of files (encrypted and original) no less than 3GB in size each. This will be enough to decrypt both big and small files.

And while a free decryptor is a lifesaver for companies already hit by Yanluowang, the vendor naturally recommends enterprises adopt comprehensive defense measures to detect and stop any future infections.

We'd like to note that decrypting scrambled files is only one step in a long road to recovery. You'll have to find out how the intruders got in, and patch that hole or holes, and consider wiping all endpoints anyway as they may well be infected with backdoors and other malicious code. Then think about intrusion detection, regular backups, restoration planning and processes, network segmentation, patching strategies, security breach notifications and reporting, investigations, and more.

But at least you might get your documents back in the short term. ®


Other stories you might like

  • Microsoft fixes under-attack Windows zero-day Follina
    Plus: Intel, AMD react to Hertzbleed data-leaking holes in CPUs

    Patch Tuesday Microsoft claims to have finally fixed the Follina zero-day flaw in Windows as part of its June Patch Tuesday batch, which included security updates to address 55 vulnerabilities.

    Follina, eventually acknowledged by Redmond in a security advisory last month, is the most significant of the bunch as it has already been exploited in the wild.

    Criminals and snoops can abuse the remote code execution (RCE) bug, tracked as CVE-2022-30190, by crafting a file, such as a Word document, so that when opened it calls out to the Microsoft Windows Support Diagnostic Tool, which is then exploited to run malicious code, such spyware and ransomware. Disabling macros in, say, Word won't stop this from happening.

    Continue reading
  • Unpatched Exchange server, stolen RDP logins... How miscreants get BlackCat ransomware on your network
    Microsoft details this ransomware-as-a-service

    Two of the more prolific cybercriminal groups, which in the past have deployed such high-profile ransomware families as Conti, Ryuk, REvil and Hive, have started adopting the BlackCat ransomware-as-as-service (RaaS) offering.

    The use of the modern Rust programming language to stabilize and port the code, the variable nature of RaaS, and growing adoption by affiliate groups all increase the chances that organizations will run into BlackCat – and have difficulty detecting it – according to researchers with the Microsoft 365 Defender Threat Intelligence Team.

    In an advisory this week, Microsoft researchers noted the myriad capabilities of BlackCat, but added the outcome is always the same: the ransomware is deployed, files are stolen and encrypted, and victims told to either pay the ransom or risk seeing their sensitive data leaked.

    Continue reading
  • $6b mega contract electronics vendor Sanmina jumps into zero trust
    Company was an early adopter of Google Cloud, which led to a search for a new security architecture

    Matt Ramberg is the vice president of information security at Sanmina, a sprawling electronics manufacturer with close to 60 facilities in 20 countries on six continents and some 35,000 employees spread across the world.

    Like most enterprises, Sanmina, a big name in contract manufacturing, is also adapting to a new IT environment. The 42-year-old Fortune 500 company, with fiscal year 2021 revenue of more than $6.76 billion, was an early and enthusiastic adopter of the cloud, taking its first step into Google Cloud in 2009.

    With manufacturing sites around the globe, it also is seeing its technology demands stretch out to the edge.

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading

Biting the hand that feeds IT © 1998–2022