{ "id": "427d36c5-ced4-4809-922a-0b8d55927ef3", "created_at": "2026-04-06T00:11:21.125651Z", "updated_at": "2026-04-10T03:21:53.269217Z", "deleted_at": null, "sha1_hash": "8ee9a5025ff4ef43f78e55656d7b0d7df8b47ed0", "title": "Ransomware: two pieces of good news", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 223360, "plain_text": "Ransomware: two pieces of good news\r\nBy AMR\r\nPublished: 2019-09-25 · Archived: 2026-04-05 14:35:17 UTC\r\n“All your files have been encrypted.” How many times has this suddenly popped up on your screen? We hope\r\nnever, because it’s one of the most common indicators that you’ve lost access to your files. And if there are no\r\npublicly available decryptors or you don’t have any backup copies, you’re in trouble.\r\nNowadays, cybercriminals have a thousand and one ways of creating and spreading ransomware. There are two\r\ncommon scenarios behind the creation of this kind of malware: in one, the criminals prefer to just reconfigure\r\nexisting malicious source code; in the other, they choose to write their own ransomware, sometimes even using\r\nvery specific languages.\r\nHowever, don’t despair, because those fighting ransomware are not standing still either. In fact, we have two\r\npieces of good news to share with you.\r\nGood news #1\r\nWe’ve released a decryptor for the Yatron ransomware. The authors of the ransomware chose the first scenario\r\nmentioned above and based their ‘creation’ on the code used in Hidden Tear, a well-known sample of open-source\r\nransomware. According to our statistics, during the last year alone our products have prevented more than 600\r\ninfections by various modifications of Trojan-Ransom.MSIL.Tear, with most attacks recorded in Germany, China,\r\nthe Russian Federation, India and Myanmar.\r\nAmong the numerous modifications of Trojan-Ransom.MSIL.Tear, this one can be distinguished by the extension\r\n.Yatron that’s appended to encrypted files.\r\nhttps://securelist.com/ransomware-two-pieces-of-good-news/93355/\r\nPage 1 of 4\n\nHowever, using third-party code without checking it raises the risk of critical vulnerabilities affecting the overall\r\neffectiveness of the program. That’s what happened here. Due to mistakes in the cryptographic scheme we were\r\nable to create a decryptor.\r\nGood news #2\r\nWe’ve released a decryptor for the unique FortuneCrypt ransomware. To describe this malware, we could\r\nparaphrase Archimedes: give me a programming language, and I will write a ransomware program. The main\r\nfeature of this ransomware is that it was compiled using a BlitzMax compiler. As Wikipedia states: “Being derived\r\nfrom BASIC, Blitz syntax was designed to be easy to pick up for beginners first learning to program. The\r\nlanguages are game-programming oriented but are often found general-purpose enough to be used for most types\r\nof application”. We’ve seen lots of ransomware written in C/C++, C#, Delphi, JS, Python, etc., but FortuneCrypt\r\nis the first ransomware we’ve seen that’s written in Blitz BASIC.\r\nDuring the last year, our products registered more than 6,000 attacks carried out by the numerous variations of the\r\nmalicious Trojan-Ransom.Win32.Crypren family (FortuneCrypt is part of this family). The top five countries\r\nattacked by the malware are: the Russian Federation, Brazil, Germany, South Korea and Iran.\r\nThe cryptor changes neither the file extension nor the file name; instead, it marks encrypted files by adding a text\r\nstring to the beginning of an encrypted file.\r\nhttps://securelist.com/ransomware-two-pieces-of-good-news/93355/\r\nPage 2 of 4\n\nThe only indicator of infection visible to the victim is a ransom text that appears on the screen.\r\nAfter some analysis, we found that the cryptographic scheme used by the malware is weak and the encrypted files\r\ncan be easily recovered.\r\nDecryptors\r\nBoth the decryptors mentioned here have been added to our RakhniDecryptor tool, which can be downloaded\r\nfrom the following sources:\r\nhttps://support.kaspersky.com/viruses/disinfection/10556\r\nhttps://www.nomoreransom.org/en/decryption-tools.html\r\nIOCs\r\nYatron ransomware\r\n7910B3F3A04644D12B8E656AA4934C59A4E3083A2A9C476BF752DC54192C255B\r\nhttps://securelist.com/ransomware-two-pieces-of-good-news/93355/\r\nPage 3 of 4\n\nFortuneCrypt\r\nE2B9B48755BCA1EDFBA5140753E3AF83FB0AE724E36D8C83AB23E262196D1080\r\nC26192E7B14991ED39D6586F8C88A86AF4467D5E296F75487BB62B920DEA533F\r\nF2DCD2308C18FDB56A22B7DB44E60CDB9118043830E03DF02DAC34E4C4752587\r\nSource: https://securelist.com/ransomware-two-pieces-of-good-news/93355/\r\nhttps://securelist.com/ransomware-two-pieces-of-good-news/93355/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://securelist.com/ransomware-two-pieces-of-good-news/93355/" ], "report_names": [ "93355" ], "threat_actors": [], "ts_created_at": 1775434281, "ts_updated_at": 1775791313, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8ee9a5025ff4ef43f78e55656d7b0d7df8b47ed0.pdf", "text": "https://archive.orkl.eu/8ee9a5025ff4ef43f78e55656d7b0d7df8b47ed0.txt", "img": "https://archive.orkl.eu/8ee9a5025ff4ef43f78e55656d7b0d7df8b47ed0.jpg" } }