Kaspersky released a tool to help businesses recover files hit by a recently-disclosed ransomware strain.
In a blog post Monday, the antimalware vendor said that its research team used a vulnerability in the Yanluowang ransomware to defeat the malware’s file encryption and allow users to reclaim their locked data. Yanluowang recently emerged with a series of what Kaspersky believes to be targeted attacks against specially-chosen business targets. The attacks have been mostly concentrated in the U.S., Brazil and Turkey, with a handful of businesses in other countries also targeted.
“The ransomware is relatively recent, its name a reference to the Chinese deity Yanluo Wang, one of the Ten Kings of Hell,” Kaspersky explained in the blog post. “Unfortunately, we do not know much about the victims.”
The researchers noted that, once infected, the ransomware provides its victim with a note threatening them not to contact law enforcement or “take us for fools” under the pain of having networks and data completely wiped.
According to Kaspersky researcher Marc Rivero, it’s likely that the group has at least some experience.
“At the investigation time, we couldn’t tie this ransomware group to any known group or intrusion set,” Rivero told SearchSecurity. “But, based on the flaw we could spot, we assess with low confidence that the group or individual criminal that created this ransomware family had past experience in the ransomware ecosystem.”
Fortunately for the few businesses that have been targeted by the new ransomware, Kaspersky said it spotted a flaw in the ransomware’s RSA-1024 asymmetric encryption algorithm that enabled its research team to crack the ransomware’s encryption. As a result, Kaspersky posted a free decryptor.
“Kaspersky experts have analyzed the ransomware and found a vulnerability that allows decrypting files of affected users via a known-plaintext attack,” Kaspersky explained in its report. “All that was required for this to work was added to the Rannoh decryption tool.”
Kaspersky noted that in order for the decryptor to work properly, users will need to find at least one unencrypted file, and in the case of large encrypted files over 3GB, another similar-sized unencrypted file will also need to be supplied.
To prevent an attack from the Yanluowang ransomware, Kaspersky advised companies to adopt security best practices such as limiting RDP access, maintaining updated software and configuring networks to limit the possibility of lateral network movement by attackers.