{ "id": "aeda28ab-c5f6-43cf-ba08-e7054d015b90", "created_at": "2026-04-06T00:21:47.131713Z", "updated_at": "2026-04-10T13:12:08.771728Z", "deleted_at": null, "sha1_hash": "40e5d25cb6dbafb07f919a95ed9d27b175ea61f2", "title": "Free decryptor released for Yanluowang ransomware victims", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1730602, "plain_text": "Free decryptor released for Yanluowang ransomware victims\r\nBy Sergiu Gatlan\r\nPublished: 2022-04-18 ยท Archived: 2026-04-05 14:30:29 UTC\r\nKaspersky today revealed it found a vulnerability in Yanluowang ransomware's encryption algorithm, which makes it\r\npossible to recover files it encrypts.\r\nThe Russian cybersecurity firm has added support for decrypting files locked by the Yanluowang ransomware strain to its\r\nRannohDecryptor utility.\r\n\"Kaspersky experts have analyzed the ransomware and found a vulnerability that allows decrypting files of affected users\r\nvia a known-plaintext attack,\" the company said today.\r\nhttps://www.bleepingcomputer.com/news/security/free-decryptor-released-for-yanluowang-ransomware-victims/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/free-decryptor-released-for-yanluowang-ransomware-victims/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nThis ransomware strain encrypts files bigger than 3GB and those smaller than 3GB using different methods: larger ones are\r\npartially encrypted in 5MB stripes after every 200MB, while smaller ones are entirely encrypted from start to end.\r\nBecause of this, \"if the original file is larger than 3 GB, it is possible to decrypt all files on the infected system, both big and\r\nsmall. But if there is an original file smaller than 3 GB, then only small files can be decrypted.\"\r\nTo decrypt your files, you need at least one of the original files:\r\nTo decrypt small files (less than or equal to 3 GB), you need a pair of files with a size of 1024 bytes or more. This is\r\nenough to decrypt all other small files.\r\nTo decrypt big files (more than 3 GB), you need a pair of files (encrypted and original) no less than 3 GB in size\r\neach. This will be enough to decrypt both big and small files.\r\nTo decrypt files encrypted by Yanluowang ransomware, you have to use the Rannoh decryption tool available for\r\ndownload from Kaspersky's servers.\r\nKaspersky RannohDecryptor (BleepingComputer)\r\nYanluowang attacks high-profile enterprise targets\r\nYanluowang ransomware, first spotted in October 2021, has been used in human-operated, highly targeted attacks against\r\nenterprise entities.\r\nOne month later, one of its affiliates was observed attacking US organizations in the financial sector since at least August,\r\nusing the BazarLoader malware for reconnaissance.\r\nBased on the tactics, techniques, and procedures (TTPs) used in these attacks, this Yanluowang affiliate was linked to the\r\nThieflock ransomware operation developed by the Fivehands group (tracked by Mandiant as UNC2447).\r\nOnce deployed on compromised networks, Yanluowang stops hypervisor virtual machines, ends all processes, and encrypts\r\nfiles appending the .yanluowang extension.\r\nIt also drops ransom notes named README.txt that warn victims not to contact law enforcement or ask any ransomware\r\nnegotiation firms for help.\r\nIf the attackers' requests are not met, the ransomware operators threaten to launch distributed denial of service (DDoS)\r\nattacks against the victims' networks and inform their employees and business partners they were breached.\r\nThey also say they'll breach the victims' networks again \"in a few weeks\" and delete their data, a common tactic ransomware\r\ngangs use to pressure their victims into paying the ransom.\r\nhttps://www.bleepingcomputer.com/news/security/free-decryptor-released-for-yanluowang-ransomware-victims/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/free-decryptor-released-for-yanluowang-ransomware-victims/\r\nhttps://www.bleepingcomputer.com/news/security/free-decryptor-released-for-yanluowang-ransomware-victims/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.bleepingcomputer.com/news/security/free-decryptor-released-for-yanluowang-ransomware-victims/" ], "report_names": [ "free-decryptor-released-for-yanluowang-ransomware-victims" ], "threat_actors": [ { "id": "065b7ea2-5920-4270-824e-94ea8a79d197", "created_at": "2023-12-08T02:00:05.747632Z", "updated_at": "2026-04-10T02:00:03.492858Z", "deleted_at": null, "main_name": "UNC2447", "aliases": [], "source_name": "MISPGALAXY:UNC2447", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cf1c7efe-4464-4347-95d3-c86fb4d7db51", "created_at": "2022-10-25T16:07:24.35977Z", "updated_at": "2026-04-10T02:00:04.953882Z", "deleted_at": null, "main_name": "UNC2447", "aliases": [], "source_name": "ETDA:UNC2447", "tools": [ "7-Zip", "AdFind", "Agentemis", "Cobalt Strike", "CobaltStrike", "DEATHRANSOM", "DeathRansom", "FIVEHANDS", "FOXGRABBER", "HELLOKITTY", "HelloKitty", "KittyCrypt", "Mimikatz", "PCHUNTER", "RCLONE", "ROUTERSCAN", "Ragnar Locker", "RagnarLocker", "Rclone", "S3BROWSER", "SombRAT", "Thieflock", "WARPRISM", "cobeacon", "deathransom", "wacatac" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434907, "ts_updated_at": 1775826728, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/40e5d25cb6dbafb07f919a95ed9d27b175ea61f2.pdf", "text": "https://archive.orkl.eu/40e5d25cb6dbafb07f919a95ed9d27b175ea61f2.txt", "img": "https://archive.orkl.eu/40e5d25cb6dbafb07f919a95ed9d27b175ea61f2.jpg" } }