Russian cybersecurity firm Kaspersky has released a free decryptor to help victims decrypt files locked by the Yanluowang ransomware.
According to Kaspersky, the decryptor was enabled by a vulnerability in the encryption algorithm of Yanluowang ransomware, which makes it possible to restore files the ransomware encrypts.
Yanluowang encrypts files larger and those smaller than 3GB using different methods. The larger files are partially encrypted in 5MB stripes after every 200MB. The smaller files are encrypted completely from beginning to end.
Due to different encryption methods, it is possible to encrypt all files on the compromised system if the original file is larger than 3 GB. However, if the original file is smaller than 3 GB, only small files can be decrypted.
To decrypt files smaller than or equal to 3 GB, users need a file pair with a size of 1024 bytes or more.
To decrypt large files larger than 3 GB, users need a pair of encrypted and original files, each no less than 3 GB in size.