[German]Security vendor Kaspersky has discovered a vulnerability in the encryption of the Yanlouwang ransomware. As a result of this vulnerability, the encryption of files can be cracked under certain circumstances. Anyway, a free decryptor for Yanlouwang ransomware is available. However, samples of encrypted files and their unencrypted originals are needed for decryption.
Advertising
The Yanlouwang ransomware
Yanluowang is a relatively new ransomware used by previously unknown attackers to attack large companies. It was first reported late last year. In order to trigger the encryption process, the malware needs to receive the appropriate arguments, which suggests that a user manually controls the attack. Yanluowang's previous victims include companies in the U.S., Brazil and Turkey.
A decryptor from Kaspersky
I came across the information via the following tweet that Kaspersky has cracked the previous versions of the Yanlouwang ransomware and was able to provide a decryptor to decrypt encrypted data.
The background for this success: a vulnerability in Yanluowang malware allows decrypting files using an attack with known plaintext. This method cracks the encryption algorithm when two versions of the same text are available: the original version and an encrypted variant. Thus, if the victim has clean copies of some encrypted files or knows where to find them, Kaspersky's Rannoh Decryptor, enhanced with the appropriate functions, can analyze them and recover the information from the encrypted files.
A small catch
The problem with the whole approach is that Yanluowang encrypts files in different ways, depending on their size. Small files (less than 3 GB) are fully encrypted, while large ones are only partially encrypted. So, clean files of different sizes are required for their decryption. For files smaller than 3 GB, it is enough to have the original and an encrypted version of the file with a size of 1024 bytes or more. However, for recovery of files larger than 3 GB, original files of the corresponding size are required. However, if victims find a clean (i.e. unencrypted) file larger than 3 GB, it is generally possible to recover all the affected information.
Advertising
Advertising