The ransomware dubbed Yanluowang targets companies around the world, encrypting files on their computers and blocking access to their systems, so that victims cannot access their data. Previously, victims’ only solution was to pay a ransom to the cybercriminals. However, after analyzing the ransomware, Kaspersky researchers have developed a free tool that allows victims to recover their affected files without using the attackers' key. The tool is already available on the No Ransom website.
Yanlouwang was first discovered in October 2021. Its name is a reference to the Chinese deity, Yanluo Wang, one of the ten kings of hell. According to Kaspersky telemetry, Yanlouwang has been attacking large businesses in the United States, Turkey, Brazil and other countries.
An attack using Yanluowang begins with an operator manually launching encryption. While encrypting the victims’ files, this ransomware changes file extensions to “.Yanlouwang.” After attacking the computer, an open-access file is left with a ransom note. Cybercriminals threaten the victim that if they go to the police all files on the infected computer will be deleted. Even after deletion of all files, they will still not be left alone: Yanluowang's authors threaten to then attack the entire company with DDoS attacks and ransomware infections on the company’s employee computers. An example of a Yanluowang attack ransom note
Kaspersky experts analyzed the ransomware and found a vulnerability that allows victims to decrypt files on an infected computer. The user needs to have one or more original files and download a specially designed decryption tool. The victim is then able to decrypt the affected files independently.
“While Yangluowang is not a widespread ransomware threat, it still hurts users and, in the fight against ransomware, every defeated malicious program counts. Ransomware is an international threat, and that is why it is important for the cyber community to cooperate in the fight against ransomware. We hope our contribution helps organizations attacked by Yanlouwang,” comments Yanis Zinchenko, security researcher at Kaspersky.
Read the full report about the Yanluowang on Securelist.
To protect yourself from ransomware attacks, Kaspersky recommends you:
The Yanluowang decryptor has been added to the “No Ransom Kaspersky Rannoh Decryptor” tool. It can be downloaded from the No Ransom website – a project launched by Kaspersky to share solutions and stop the scourge of ransomware.
Kaspersky is a global cybersecurity and digital privacy company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 240,000 corporate clients protect what matters most to them. Learn more atwww.kaspersky.com.