Skip to main content

Kaspersky offers free decryptor tool to deal with Yanluowang ransomware

Hacker in deep mind solutions to destroy web
(Image credit: Getty)

Kaspersky, the Russian cybersecurity (opens in new tab) business, has discovered a weakness in the Yanluowang ransomware that's been causing headaches for IT departments (opens in new tab) globally.

This has enabled it to produce a free decryptor tool and help victims recover their compromised files from the clutches of its flawed encryption algorithm.

The Yanluowang ransomware (opens in new tab) has proved highly problematical for businesses and financial institutions in many locations around the world, including North and South America.

There have also been instances of it appearing in Turkey and Sweden, along with China according to Kaspersky’s findings (opens in new tab), with initial infections being traced back as far as August of last year. 

Related: Best identity theft companies (opens in new tab).

How to combat Yanluowang

The Symantec Threat Hunter team first discovered the targeted ransomware while they were investigating an incident on a large corporate network. Attacks appear to have been focused on manufacturing, IT services, consultancy firms and businesses in the engineering sector.

According to its research, the relatively low number of infections has been due to the targeted nature of the ransomware: threat actors prepare and implement attacks on specific companies only.

Kaspersky's post documenting Yanluowang’s potential outlines the threat to users: The ransomware program has the functionality to terminate virtual machines, processes and services. This is necessary to make files used by other programs available for encryption. The main parts of stopped services and processes include databases, email services, browsers, programs for working with documents, security solutions, backups and shadow copy services.

While Kaspersky recommends that businesses protect themselves against Yanluowang and other cybersecurity threats with suitable software, it has developed a way of tackling it using the Rannoh (opens in new tab) decryption tool. The company has also produced a series of steps to follow, which will allow affected users to decrypt affected files, as outlined here:

To decrypt a file, you should have at least one original file. As mentioned earlier, the Yanluowang ransomware divides files into big and small files along a 3 gigabyte threshold. This creates a number of conditions that must be met in order to decrypt certain files:

By virtue of the above points, if the original file is larger than 3 GB, it is possible to decrypt all files on the infected system, both big and small. But if there is an original file smaller than 3 GB, then only small files can be decrypted.

Take a look at the best data recovery software (opens in new tab).

Rob Clymo has been a tech journalist for more years than he can actually remember, having started out in the wacky world of print magazines before discovering the power of the internet. Since he's been all-digital he has run the Innovation channel during a few years at Microsoft as well as turning out regular news, reviews, features and other content for the likes of TechRadar, TechRadar Pro, Tom's Guide, Fit&Well, Gizmodo, Shortlist, Automotive Interiors World, Automotive Testing Technology International, Future of Transportation and Electric & Hybrid Vehicle Technology International. In the rare moments he's not working he's usually out and about on one of numerous e-bikes in his collection.