Kaspersky offers free Yanluowang ransomware decryptor tool
Yanluowang is ransomware discovered by Symantec’s Threat Hunting team that targets certain large enterprises. Little is known about the gang behind Yanluowang, but this ransomware has hit companies in China, the United States, Turkey, and Brazil. Fortunately, Kaspersky Lab found a flaw in the encryption algorithm used by malware, and Kaspersky launched a free Yanluowang ransomware decryptor tool with the help of this bug.
According to the analysis of the security company, the Yanluowang ransomware has the ability to terminate virtual machines, processes, and services, because only after termination can data be encrypted. Terminated services and processes include databases, email systems, browsers, office software, security software, and built-in backup and restore tools. When the ransomware successfully terminates the above software and services, it can encrypt all data, making it difficult for victims to restore data directly through the backup system.
In terms of the encryption method, Yanluowang uses the RSA-1024 asymmetric algorithm to encrypt its key, and the RSA public key is directly embedded in the main program of the ransomware. In addition, the ransomware RC4 algorithm is encrypted, and its key is a string that is also placed in the main program, and the encrypted file suffix is changed to .yanluowang. If the file to be encrypted is larger than 3GB, it will be divided. The big files are encrypted in stripes: 5 megabytes after every 200 megabytes, while the small file is completely encrypted.
Analysis by Kaspersky security experts found that Yanluowang has an algorithmic vulnerability that allows the decryption of affected users’ files through known-plaintext attacks. To decrypt a file, you should have at least one original file. At present, Kaspersky has launched a decryption tool called Rannoh, which contains the decryption algorithm for the Yama Ransomware to decrypt files. The Yanluowang ransomware was flagged by Kaspersky as Trojan-Ransom.Win32.Yanluowang, or PDM:Trojan.Win32.Generic.
You can download the Yanluowang ransomware decryptor tool here.