The cybersecurity firm Kaspersky has released a decryptor for Yanluowang Ransomware.

“Kaspersky experts have analyzed the ransomware and found a vulnerability that allows decrypting files of affected users via a known-plaintext attack,” the company said today.

Yanluowang is a type of targeted ransomware discovered by the Symantec Threat Hunter team as they were investigating an incident on a large corporate network. Kaspersky experts have found a vulnerability in the Yanluowang encryption algorithm and created a free decryptor to help victims of this ransomware with recovering their files.

This ransomware strain encrypts files bigger than 3GB and those smaller than 3GB using different methods: larger ones are partially encrypted in 5MB stripes after every 200MB, while smaller ones are entirely encrypted from start to end.

Because of this, “if the original file is larger than 3 GB, it is possible to decrypt all files on the infected system, both big and small. But if there is an original file smaller than 3 GB, then only small files can be decrypted.”

To decrypt your files, you need at least one of the original files:

  • To decrypt small files (less than or equal to 3 GB), you need a pair of files with a size of 1024 bytes or more. This is enough to decrypt all other small files.
  • To decrypt big files (more than 3 GB), you need a pair of files (encrypted and original) no less than 3 GB in size each. This will be enough to decrypt both big and small files.
READ
UnitedHealth Confirms Ransomware Attack Affected 190 Million Americans, Nearly Doubling Earlier Estimates

To decrypt files encrypted by Yanluowang ransomware, you have to use the Rannoh decryption tool available for download from Kaspersky’s servers.

Here are Kaspersky’s recommendations for staying safe from ransomware attacks:

  • Do not expose remote desktop services (such as RDP) to public networks unless absolutely necessary, and always use strong passwords.
  • Promptly install available patches for commercial VPN solutions that provide access for remote employees and act as gateways to your network.
  • Always keep software up to date on all your devices to prevent ransomware from exploiting vulnerabilities.
  • Focus your defense strategy on detecting lateral movement and data exfiltration to the Internet. Pay special attention to outgoing traffic to detect cybercriminals’ connections.
  • Back up data regularly. Make sure you can quickly access your backups in an emergency.
  • To protect the corporate environment, educate your employees. Dedicated training courses can help, such as the ones provided on Kaspersky Automated Security Awareness Platform.
  • Use the latest Threat Intelligence information to stay on top of actual TTPs used by threat actors.
  • Use solutions like Kaspersky Endpoint Detection and Response and Kaspersky Managed Detection and Response service which help to identify and stop an attack in the early stages, before attackers can achieve their objectives.
  • Use a reliable endpoint security solution, such as Kaspersky Endpoint Security for Business, that is powered by exploit prevention, behavior detection and a remediation engine capable of rolling back malicious actions. KESB also has self-defense mechanisms that can prevent its removal by cybercriminals.
READ
Ransomware Gangs Exploit Microsoft Teams and Email Bombing in Sophisticated Attacks