The cybersecurity mogul Kerspesky has announced a free solution for all the victims of the terrible ransomware virus. The ransomware called Yanluowang encrypts the target’s files and demands a ransom for a decryption key. One terrible thing about this ransomware is that sometimes the thieves will collect the ransom and won’t send the correct decryption code. Thankfully, Kerpesky has discovered a flaw in their algorithm that enabled them to provide ways of recovering the decrypted files. According to the reports, Yanlouwang locks files larger than 3 GB in 5 MB stripes once it crosses 200 MB. But for smaller files below 3 GB, it locks them.
Yanlouwang’s existence became a reality last year when companies in Turkey, the U.S., and even Brazil reported the attacks. The first incident was in October 2021 when Broadcom’s Symantec Threat Hunter Team discovered it. Then the threat actors used AdFind, which sent a red flag to security researchers. Some days later, the criminals tried to upload the ransomware payloads to their victims’ systems. It was so bad that they even threatened to conduct DDoS attacks if the victims broke the ransom rules.
After one month, a Yanluowang affiliate attacked U.S. organizations operating in the financial industry with the BazarLoader Malware. Security researchers observed the TTP of the attacks and discovered that it was part of the Five hands group Thieflock ransomware.
Understanding the Yanlouwang ransomware
The Yanlouwang malware is novel ransomware that threat actors use to target large organizations in the bid to make money from them. Generally, ransomware has one objective: to lock out its victim from accessing their apps, files, and databases. The mode of operation is to use an algorithm to encrypt the data to ensure that the owners can’t open them.
Like other ransomware, Yanlouwang also encrypts victims’ files and demands a ransom from them. It shuts down almost everything as soon as it enters a target’s network. Every process in the network will stop working, and all the files will now bear the .yanlouwang extension. Also, the victim will receive a file “README.txt” warning them against contacting any third-party negotiator or even the law enforcement agency.
Also, the attackers will threaten to launch a DDoS attack (distributed denial of service) if the victim breaks the terms. The threat will also extend to the organization’s business partners and employees. Another pressure tactic is to threaten that the victims will lose their whole data after a few weeks if they fail to pay the ransom.
How to recover the encrypted files
The way to exploit the Yanlouwang flaw is by using a known-plaintext attack. It works easily if the victim has two versions of every locked text. One will be the encrypted file, while the other should be the uninfected text. If some clean texts are available, the Kerpesky Rannoh Decryptor can recover all the files by analyzing them.
But these clean files must be of diverse sizes. If the file is less than 3 GB, you’ll need an original and encrypted file of 1024 bytes+. If the files are above 3 GB, you must have clean files above 3 GB to recover all your encrypted information.
What organizations can do against Ransomware attacks
- Protect remote desktop services from public networks. If you must, use unbreakable passwords
- Use commercial VPN services and let remote employees access the company network.
- Always update all software to prevent the attackers from exploiting any flaw.
- Monitor every outgoing traffic to identify potential cybercriminals’ connections.
- Back up your data always and store them in easy-to-access places
- Use strong endpoint security service to identify possible attacks before it’s too late.
