Kaspersky discovered a flaw in the encryption process of the Yanluowang ransomware that allows victims to recover their files for free.
Researchers from Kaspersky discovered a vulnerability in the encryption process of the Yanluowang ransomware that can be exploited to recover the files encrypted by the malware without paying the ransom.
The Yanluowang ransomware was first spotted by researchers from Symantec Threat Hunter Team in October 2021, the malware was used in highly targeted attacks against large enterprises.
The discovery is part of an investigation into an attempted ransomware attack against a large organization.
Kaspersky implemented the decrypting process for the Yanluowang ransomware in its RannohDecryptor tool. In order to decrypt their files, victims of this family of ransomware should have at least one original file.
“Kaspersky experts have analyzed the ransomware and found a vulnerability that allows decrypting files of affected users via a known-plaintext attack.” reads the post published by the company.
The Yanluowang ransomware uses different encryption routines depending on the size of the files.
Files greater than 3GB using are partially encrypted in stripes, 5MB after every 200MB, while files smaller than 3GB are completely encrypted from beginning to end.
For this reason, to decrypt files the following conditions must be met:
- To decrypt small files (less than or equal to 3 GB), users need a pair of files with a size of 1024 bytes or more. This is enough to decrypt all other small files.
- To decrypt big files (more than 3 GB), users need a pair of files (encrypted and original) no less than 3 GB in size each. This will be enough to decrypt both big and small files.
“By virtue of the above points, if the original file is larger than 3 GB, it is possible to decrypt all files on the infected system, both big and small. But if there is an original file smaller than 3 GB, then only small files can be decrypted.” continues the post.
The Symantec researchers noticed the use of the legitimate AdFind command line Active Directory query tool that is often abused by ransomware operators as a reconnaissance tool.
Before being deployed on compromised devices, the attackers launch a malicious tool designed to prepare the environment with the following actions:
- Creates a .txt file with the number of remote machines to check in the command line
- Uses Windows Management Instrumentation (WMI) to get a list of processes running on the remote machines listed in the .txt file
- Logs all the processes and remote machine names to processes.txt
The analysis of the samples collected by the experts revealed that the Yanluowang ransomware uses the Windows API for encryption.
Upon deploying the Yanluowang ransomware, it will stop hypervisor virtual machines, end all processes logged by the above tool (including SQL and back-up solution Veeam), then it will encrypt files. The ransomware appends the .yanluowang extension to the filenames of the encrypted files.
The ransom note (README.txt) dropped on the infected machine warns the victims not to contact law enforcement or ask ransomware negotiation firms for help. The ransomware operators will launch distributed denial of service (DDoS) attacks against the victim if it will not respect their rules. The ransomware operators also threaten to make calls to employees and business partners to damage the brand reputation of the victims, along with targeting again the victim in a few weeks and delete its data.
Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform
(SecurityAffairs – hacking, Yanluowang ransomware)