The ransomware dubbed Yanluowang targets companies around the world, encrypting files on their computers and blocking access to their systems, so that victims cannot access their data. Previously, victims’ only solution was to pay a ransom to the cybercriminals. However, after analysing the ransomware, Kaspersky researchers have developed a free tool that allows victims to recover their affected files without using the attackers' key. The tool is already available on the No Ransom website.
Yanlouwang was first discovered in October 2021. Its name is a reference to the Chinese deity, Yanluo Wang, one of the ten kings of hell. According to Kaspersky telemetry, Yanlouwang has been attacking large businesses in the United States, Turkey, Brazil and other countries.
An attack using Yanluowang begins with an operator manually launching encryption. While encrypting the victims’ files, this ransomware changes file extensions to “.Yanlouwang.” After attacking the computer, an open-access file is left with a ransom note. Cybercriminals threaten the victim that if they go to the police all files on the infected computer will be deleted. Even after deletion of all files, they will still not be left alone: Yanluowang's authors threaten to then attack the entire company with DDoS attacks and ransomware infections on the company’s employee computers.
An example of a Yanluowang attack ransom note
Kaspersky experts analysed the ransomware and found a vulnerability that allows victims to decrypt files on an infected computer. The user needs to have one or more original files and download a specially designed decryption tool. The victim is then able to decrypt the affected files independently.
“While Yangluowang is not a widespread ransomware threat, it still hurts users and, in the fight against ransomware, every defeated malicious program counts. Ransomware is an international threat, and that is why it is important for the cyber community to cooperate in the fight against ransomware. We hope our contribution helps organisations attacked by Yanlouwang,” comments Yanis Zinchenko, security researcher at Kaspersky.
Read the full report about the Yanluowang on Securelist.
To protect yourself from ransomware attacks, Kaspersky recommends you:
- Do not expose remote desktop services, (such as RDP), to public networks unless absolutely necessary and always use strong passwords for them.
- Promptly install available patches for commercial VPN solutions that provide access for remote employees and act as gateways into your network.
- Always keep software updated on all devices you use to prevent ransomware from exploiting vulnerabilities.
- Focus your defense strategy on detecting lateral movements and data exfiltration to the Internet. Pay special attention to outgoing traffic to detect cybercriminals’ connections.
- Back up data regularly and make sure you can access it quickly in an emergency.
- Use the latest Threat Intelligence to stay on top of current TTPs used by threat actors.
- Use solutions like Kaspersky Endpoint Detection and Response and Kaspersky Managed Detection and Response, which help identify and stop an attack during its early stages before attackers are able to achieve their final goals.
- Protect the corporate environment by educating your employees. Dedicated training courses, such as the ones provided on the Kaspersky Automated Security Awareness Platform, can help.
- Use a reliable endpoint security solution, such as Kaspersky Endpoint Security for Business, that is powered by exploit prevention, behavior detection and a remediation engine capable of rolling back malicious actions. KESB also has self-defense mechanisms to prevent cybercriminals from removing it.
The Yanluowang decryptor has been added to the “No Ransom Kaspersky Rannoh Decryptor” tool. It can be downloaded from the No Ransom website – a project launched by Kaspersky to share solutions and stop the scourge of ransomware.