This has enabled it to produce a free decryptor tool and help victims recover their compromised files from the clutches of its flawed encryption algorithm.
The Yanluowang ransomware (opens in new tab) has proved highly problematical for businesses and financial institutions in many locations around the world, including North and South America.
There have also been instances of it appearing in Turkey and Sweden, along with China according to Kaspersky’s findings (opens in new tab), with initial infections being traced back as far as August of last year.
How to combat Yanluowang
The Symantec Threat Hunter team first discovered the targeted ransomware while they were investigating an incident on a large corporate network. Attacks appear to have been focused on manufacturing, IT services, consultancy firms and businesses in the engineering sector.
According to its research, the relatively low number of infections has been due to the targeted nature of the ransomware: threat actors prepare and implement attacks on specific companies only.
Kaspersky's post documenting Yanluowang’s potential outlines the threat to users: The ransomware program has the functionality to terminate virtual machines, processes and services. This is necessary to make files used by other programs available for encryption. The main parts of stopped services and processes include databases, email services, browsers, programs for working with documents, security solutions, backups and shadow copy services.
While Kaspersky recommends that businesses protect themselves against Yanluowang and other cybersecurity threats with suitable software, it has developed a way of tackling it using the Rannoh (opens in new tab) decryption tool. The company has also produced a series of steps to follow, which will allow affected users to decrypt affected files, as outlined here:
To decrypt a file, you should have at least one original file. As mentioned earlier, the Yanluowang ransomware divides files into big and small files along a 3 gigabyte threshold. This creates a number of conditions that must be met in order to decrypt certain files:
By virtue of the above points, if the original file is larger than 3 GB, it is possible to decrypt all files on the infected system, both big and small. But if there is an original file smaller than 3 GB, then only small files can be decrypted.
Take a look at the best data recovery software (opens in new tab).