Kaspersky revealed a free decryptor for Yanluowang ransomware. Discovered by Symantec last year, Kaspersky released a decryptor for Yanluowang ransomware by identifying a vulnerability in the encryption algorithm it employs. The company made the tool free, so the victims can retrieve their data without paying anything.
It’s also been reported that Yanluowang has hit numerous locations, including the United States, Brazil, and Turkey. Victims will be pleased by the decryption tool, but Kaspersky cautions that it needs at least one original file to function.
In a posting about the release of the free tool, Kaspersky says:
“Kaspersky experts have analyzed the ransomware and found a vulnerability that allows decrypting files of affected users via a known-plaintext attack. All that was required for this to work was added to the Rannoh decryption tool.”
Related: Kaspersky warns users of fake Windows 11 installers
The Yanluowang ransomware divides files into big and little files, with a 3 GB limit. This leads to a number of requirements that must be met in order to decrypt certain files.
How does the decryptor for Yanluowang ransomware work?
- To decrypt small files (less than or equal to 3 GB), you need a pair of files with a size of 1024 bytes or more. This is enough to decrypt all other small files.
- To decrypt big files (more than 3 GB), you need a pair of files (encrypted and original) no less than 3 GB in size each. This will be enough to decrypt both big and small files.
- If the original file is larger than 3 GB, all files on the infected system, both big and little, may be decrypted. However, only small files can be decrypted if an original file is smaller than 3 GB.
More information is available in Kaspersky’s How to recover files encrypted by Yanlouwang post.