This article is more than 1 year old
Kaspersky cracks Yanluowang ransomware, offers free decryptor
Step one, get some scrambled files back. Steps two through 37...
Kaspersky has found a vulnerability in the Yanluowang ransomware encryption algorithm and, as a result, released a free decryptor tool to help victims of this software nasty recover their files.
Yanluowang, named after a Chinese deity and underworld judge, is a type of ransomware that has been used against financial institutions and other firms in America, Brazil, and Turkey as well as a smaller number of organizations in Sweden and China, Kaspersky said yesterday. The Russian security shop said it found a fatal flaw in the ransomware's encryption system and those afflicted can get a free fix to restore their scrambled data.
Symantec's threat hunters uncovered this Windows ransomware strain in the fall and said unknown fiends have been using it to infect US corporations since at least August 2021.
The cybercriminals usually go after financial institutions, and have also infected companies in manufacturing, IT services, consultancy and engineering sectors, Symantec said in November.
- Don't let ransomware crooks spend months in your network – like this govt agency did
- Backup frustration brought this CTO to forefront of ransomware protection
- Borat RAT: Multiple threat of ransomware, DDoS and spyware
- Broader investment in cybersecurity beginning to pay dividends
According to Kaspersky's analysis, the malware's functionality includes the ability to terminate virtual machines, processes, and services, the goal being to halt any running databases, email software, browsers, programs working with documents, security tools, backup operations, and shadow copy services.
Yanluowang is executed manually or through a combination of scripts on the infected system. Additionally, it uses the Sosemanuk stream cipher to encrypt files, as well as the RSA-1024 asymmetric algorithm to encrypt its key.
Another notable characteristic of this ransomware is that it divides files: those smaller than 3GB are completely encrypted, and larger files are encrypted in stripes, typically 5MB after every 200MB.
Dangerous, but fixable
However, after analyzing the ransomware, Kaspersky's team found a vulnerability that will allow organizations to decrypt files using the Rannoh decryption tool. They also provide instructions on how to do this.
First, you need at least one original file. And because the ransomware divides files along a 3GB limit, there are certain conditions that must be met:
- To decrypt small files (less than or equal to 3GB), you need a pair of files with a size of 1024 bytes or more. This is enough to decrypt all other small files.
- To decrypt big files (more than 3GB), you need a pair of files (encrypted and original) no less than 3GB in size each. This will be enough to decrypt both big and small files.
And while a free decryptor is a lifesaver for companies already hit by Yanluowang, the vendor naturally recommends enterprises adopt comprehensive defense measures to detect and stop any future infections.
We'd like to note that decrypting scrambled files is only one step in a long road to recovery. You'll have to find out how the intruders got in, and patch that hole or holes, and consider wiping all endpoints anyway as they may well be infected with backdoors and other malicious code. Then think about intrusion detection, regular backups, restoration planning and processes, network segmentation, patching strategies, security breach notifications and reporting, investigations, and more.
But at least you might get your documents back in the short term. ®