[MART] - Daily Diary #494 - Wanluowang Ransomware Decryptor Released

Tue Apr 19 23:42:00 UTC 2022

Hello,
I hope everyone is doing well!

Below is the entry for today.

04/19/2022 - Diary entry #494

In our Daily Diary #402, we covered Yanluowang Ransomware, a threat discovered in late 2021 that targeted large enterprises in the U.S., Brazil, Turkey and other countries. Yanluowang, named after the Chinese deity Yanluo Wang, was used only on targeted attacks, having a low number of infections.

To encrypt the files, Yanluowang uses Sosemanuk, an unpatented stream cipher (symmetric) described in 2008. After using Sosemanuk, the key is encrypted with a RSA-1024 (asymmetric) embedded in the malware, and the encrypted bytes are appended in the end of each encrypted file. That means the RSA private key, in possession of the attackers, has the capability of decrypting the Sosemanuk key, which is used to decrypt the original file contents. More than that, if the Sosemanuk key is discovered, there is no need to get the private key from the attackers at all.

This week a new decryptor for Yanluowang was released as part of RannohDecryptor, one of the Decryptors listed in the NoMoreRansom project. To work with the tool, the user needs to have the backup of a file that was encrypted with at least 1024 bytes, allowing it to recover any file up to 3GB large. In case the encrypted file is larger than 3GB, then the backup of another big file is needed. By analyzing the original and encrypted file pair, RannohDecryptor is capable of deducting the Sosemanuk key used on other files, and decrypt the remaining on the system.

Creating decryptors through Reverse Engineering is a hard task that requires advanced knowledge of cryptography and malware behavior, but it can help organizations and individuals that have been affected in the past - and didn't pay the ransom - to recover important files. In the double-extortion model, more popular among new threats nowadays, having a decryptor only means you can recover the files, but the threat to have them published online is still real. Therefore, companies of all sizes should invest in prevention and not rely on the publication of free decryptors.

Kind Regards,

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>

Felipe Duarte Domingues
Security Researcher
Appgate

E: felipe.duarte at appgate.com<mailto:felipe.duarte at appgate.com>
O: +55 19 98840 2509

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220419/fbceb706/attachment.htm>