Kaspersky updates decryption tool to combat ransomware duo
Kaspersky has updated its RakhniDecryptor tool to allow users whose files were encrypted by Yatron and FortuneCrypt ransomware to retrieve their data without having to cough up.
The updated tool is available on No more ransom, a project launched by the Dutch National Police, Europol, McAfee and Kaspersky in 2016. The project involves cyber security experts and law enforcement agencies working together to share solutions and stop the scourge of ransomware.
According to Kaspersky, new ransomware strains are being developed every day by cyber criminals who hope to cash in.
Yatron and FortuneCrypt are typical examples of ransomware. Yatron is part of a so-called ransomware-as-a-service affiliate programme and its developers were reported to be planning to use the EternalBlue and DoublePulsar exploits that use vulnerabilities in legitimate software to distribute other malicious software as a propagation tool.
EternalBlue, which was allegedly developed by the NSA, rose to infamy when it was heavily exploited in 2017 by the notorious WannaCry ransomware attacks.
While encrypting the victims’ files, this ransomware changes their extension to ‘.Yatron’. Kaspersky’s tool recognises files with this extension and reverts them to a normal state.
The other variant of ransomware, FortuneCrypt, is unusual as it is written with a BlitzMax compiler based on publicly available information and is a programming framework developed specifically for those involved in the first steps of video games development.
Both variants had issues with how they deal with the victims’ files, and this enabled Kaspersky researchers to find ways of undoing the damage caused by this malware.
Orkhan Mamedov, a security expert at Kaspersky, says while neither of these strains of ransomware are distributed too widely or can be regarded as significant developments in the threat landscape, it doesn’t mean that the cyber security community shouldn’t pay attention to them.
“The goal of a coordinated effort which our industry currently takes against ransomware is not only to help victims retrieve their files, but also to make the business of ransomware itself as troublesome and costly for scammers as possible. The more families we defeat, the harder it is for cybercriminals to profit from their activity. The new decryption tools we’ve released are contributions to this goal and certainly won’t be the last,” he added.
Kaspersky advises anyone who falls victim to a ransomware attack to not pay the ransom. “Paying extortionate ransoms only encourages cybercriminals to continue their attacks.”
In addition, Kaspersky says to contact local law enforcement and report the attack. “Also, try to find out the name of the ransomware Trojan. This information can help cyber security experts decrypt the threat and retain access to your files.”
In terms of prevention, it advises users to back-up files so they can be recovered should an attack happen, and to always keep any cyber security solution up-to-date by always installing the latest software patches.