A vulnerability is found in the Yanluowang ransomware’s encryption algorithm that security experts see as a prospect to recover all encrypted files impacted by it. The experts who discovered that vulnerability in the ransomware group’s encryption algorithm added support for users who got their files locked.
Upon analysing the ransomware, experts found a flaw and investigated how it decrypts the victims’ files through the known-plaintext attack. Yanluowang’s ransomware variant encrypts its victims’ files that are bigger than 3GB via a partial method of encrypting in 5MB stripes after every 200MB. For smaller files, they were fully encrypted since they are easier to lock.
Due to this scenario, experts explained that if the original file is bigger than 3GB, the decryptor can be used for all files within the affected system, whether big or small. However, if the original file is smaller than 3GB, only the small files would be decrypted.
For small files with less than or equal to 3GB to be decrypted, experts suggest that the user must have two files in 1024 bytes size or more. For large files with more than 3GB, the user must have one encrypted and one original file with a size not lesser than 3GB each.
The ransomware decryptor is now available for the affected users to download via the Rannoh decryption tool.
After being first spotted in October last year, the Yanluowang ransomware is used in highly targeted attacks against companies and organisations.
In November 2021, its operators were seen targeting American firms within the financial industry using the BazarLoader malware. The threat group’s TTPs or tactics, techniques, and procedures include being associated with the Thieflock ransomware operation under that Fivehands ransomware gang or the UNC2447.
Upon being launched to a compromised network, the Yanluowang ransomware will disrupt hypervisor virtual machines, encrypt files affixing the .yanluowang extension and end all active processes. Moreover, the ransomware will drop ransom notes via README[.]txt files to caution their victims of not alerting authorities or asking cybersecurity experts for help.
The gang’s requests must be met; otherwise, they will threaten the victims by launching DDoS (distributed denial of service) attacks against their servers. Furthermore, the threat group also warns the victims of breaching them again in a few weeks and deleting their data to pressure them into paying money.