June 27, 2022

TheCyberThrone

Thinking Security ! Always

Yanluowang ransomware decryptor- Kaspersky

Kaspersky has found a weakness in the Yanluowang ransomware encryption algorithm and, as a result, released a free decryptor tool to help victims of this software nasty recover their files.

Yanluowang is a type of ransomware that has been used against financial institutions and other firms in America, Brazil, and Turkey as well as a smaller number of organizations in Sweden and China.

Advertisements

The cybercriminals usually go after financial institutions and have also infected companies in the manufacturing, IT services, consultancy, and engineering sectors.

The malware’s functionality includes the ability to terminate virtual machines, processes, and services, the goal being to halt any running databases, email software, browsers, programs working with documents, security tools, backup operations, and shadow copy services.

Yanluowang is executed manually or through a combination of scripts on the infected system. Additionally, it uses the Sosemanuk stream cipher to encrypt files, as well as the RSA-1024 asymmetric algorithm to encrypt its key.

The key characteristic of this ransomware is that it divides files: those smaller than 3GB are completely encrypted, and larger files are encrypted in stripes, typically 5MB after every 200MB.

Advertisements

After analyzing the ransomware, Kaspersky’s team found a vulnerability that will allow organizations to decrypt files using the Rannoh decryption tool.

  • The original file is required for this process and because the ransomware divides files along with a 3GB limit, there are certain conditions that must be met:
  • To decrypt small files (less than or equal to 3GB), you need a pair of files with a size of 1024 bytes or more. This is enough to decrypt all other small files.
  • To decrypt big files (more than 3GB), you need a pair of files (encrypted and original) no less than 3GB in size each. This will be enough to decrypt both big and small files.
%d bloggers like this: