Kaspersky releases free decryptor for Yanluowang ransomware
While the Russian security firm has fallen out of favor in recent months, Kaspersky has announced that it has managed to crack the Yanluowang ransomware.
Yanluowang was discovered by Symantec last year, and now Kaspersky has identified a vulnerability in the encryption algorithm it uses. This has enabled the company to develop a free decryption tool which can be used by ransomware victims to get their data back without having to pay a cent.
- Microsoft is disabling SMB1 for Windows 11 Home users
- Security researchers discover serious UEFI firmware vulnerabilities affecting millions of Lenovo laptops
- Forget Windows 11, Microsoft is still pushing Windows 10 to more users
Yanluowang is known to have struck in various countries including the United States, Brazil and Turkey. The decryptor that has been developed will be welcomed by victims, but Kaspersky warns that at least one original file is needed in order for it to work.
In a posting about the release of the free tool, Kaspersky says:
Kaspersky experts have analyzed the ransomware and found a vulnerability that allows decrypting files of affected users via a known-plaintext attack. All that was required for this to work was added to the Rannoh decryption tool.
To decrypt a file, you should have at least one original file. As mentioned earlier, the Yanluowang ransomware divides files into big and small files along a 3 gigabyte threshold. This creates a number of conditions that must be met in order to decrypt certain files:
- To decrypt small files (less than or equal to 3 GB), you need a pair of files with a size of 1024 bytes or more. This is enough to decrypt all other small files.
- To decrypt big files (more than 3 GB), you need a pair of files (encrypted and original) no less than 3 GB in size each. This will be enough to decrypt both big and small files.
By virtue of the above points, if the original file is larger than 3 GB, it is possible to decrypt all files on the infected system, both big and small. But if there is an original file smaller than 3 GB, then only small files can be decrypted.
More information is available in Kaspersky's How to recover files encrypted by Yanlouwang post.