We generally advise ransomware victims not to despair and not to delete any files – even if nothing helps in recovering them immediately. After all, one day the police might seize the attackers’ infrastructure, or researchers might uncover flaws in the malware algorithms. An illustration of the latter is Kaspersky’s analysis of the Yanluowang ransomware. Our experts found a vulnerability that allows file recovery without the attackers’ key — under certain conditions.
How to decrypt files encrypted by Yanluowang
The vulnerability in the Yanluowang malware allows file decryption with the help of a known-plaintext attack. This method overcomes the encryption algorithm if two versions of the same text are available: one clean, one encrypted. So if the victim has clean copies of some of the encrypted files, or knows where to get them, our upgraded Rannoh Decryptor can analyze them and recover the rest of the information.
There’s one snag: Yanluowang corrupts files slightly differently depending on their size. It encrypts small files (less than 3GB) completely, and large ones partially. So their decryption requires clean files of different sizes. For files smaller than 3GB, it’s enough to have the original and an encrypted version of the file of a size of 1024 bytes or more. To recover files larger than 3GB, however, original files of the appropriate size are needed. However, if you find a clean file larger than 3GB, it will generally be possible to recover all the information affected.
What is Yanluowang and why is it dangerous?
Yanluowang is relatively new ransomware, which unknown attackers use to target large companies. It was first reported late last year. To trigger the encryption process, the malware must receive the corresponding arguments, which suggests that an operator controls the attack manually. To date, victims of Yanluowang include companies in the U.S., Brazil and Turkey.
For technical details about Yanluowang, as well as indicators of compromise, see our Securelist post.
How to guard against Yanluowang
For basic protection against ransomware, follow our standard set of tips: always keep software up-to-date; save data backups to offline storage; provide employees with basic cybersecurity training; and furnish all connected devices with adequate protection against ransomware.
However, given targeted attacks — and even manually controlled ones — you need a comprehensive security approach. So our experts additionally recommend:
- Monitoring outgoing traffic to timely detect suspicious connections;
- Conducting regular cybersecurity audits;
- Supplying SOC employees with current cyberthreat data;
- Engaging third-party experts if needed.