Kaspersky Lab discovered a flaw in the encryption algorithm used by Yanluowang ransomware, allowing for recovery of encrypted files. The RannohDecryptor software now supports decrypting files encrypted by the Yanluowang ransomware strain. “Kaspersky experts have analyzed the ransomware and found a vulnerability that allows decrypting files of affected users via a known-plaintext attack,” reads the company announcement. One drawback is that Yanluowang corrupts data differently depending on the file size. It completely encrypts small files (under 3GB) and partially encrypts large files. As a result, decrypting them requires clean files of various sizes. It is enough to have the original plus an encrypted version of a file with a size of 1024 bytes or more for files smaller than 3GB. Original files of the proper size are required to recover files larger than 3GB.
Yanluowang ransomware has been utilized in human-operated, highly targeted attacks against enterprise entities since October 2021. After a month, one of its affiliates was discovered assaulting financial institutions in the United States, employing the BazarLoader malware for reconnaissance. The Yanluowang affiliate was linked to the Fivehands group’s Thieflock ransomware operation based on the tactics, techniques, and procedures (TTPs) used in these operations (tracked by Mandiant as UNC2447). Yanluowang disables hypervisor virtual machines, terminates all processes, and encrypts files with the .yanluowang extension once it has been installed on a compromised network. It also releases README.txt ransom notes, which advise victims not to contact law enforcement or seek assistance from any ransomware negotiating firms. If the ransomware operators’ demands are not met, they threaten to launch Distributed Denial of Service (DDoS) attacks against the victims’ networks and notify their employees and business partners that they have been hacked.