Free Decryptors Released for Two Ransomware Families

Security researchers have released decryption tools which victims of two different ransomware families can use to recover their files for free.On 25 September, Kaspersky Lab unveiled decryptors for both the Yatron and FortuneCrypt crypto-ransomware families.In its analysis of the first threat, the Russian security firm found that Yatron derived much of its code from a crypto-malware strain called Hidden Tear. A security researcher published Hidden Tear’s code for “educational purposes” several years ago. Notwithstanding that researcher’s good intentions, bad actors abused Hidden Tear to develop their own creations. Indeed, Kaspersky documented infections from over 600 modifications of Hidden Tear over the previous year alone.

A screenshot of a Yatron infection. (Source: Kaspersky Lab)The individuals behind Yatron, or Trojan-Ransom.MSIL.Tear, modified Hidden Tear so that it would append the .Yatron extension to affected files. But they didn’t review their creation’s code for other errors. This enabled Kaspersky to exploit a flaw and thereby develop a free decryption utility.That same day, researchers released a decryptor for FortuneCrypt. This malware made an impression on Kaspersky in that it was the first ransomware strain to be written in Blitz BASIC, a programming language designed to appeal to beginning programmers. With that said, it’s unsurprising that the threat itself used a weak encryption routine to scramble users’ data, thereby allowing Kaspersky to make a recovery tool.

FortuneCrypt’s ransom note. (Source: Kaspersky Lab)Kaspersky Lab notes that these two malware families illustrate digital criminals’ commitment to preying upon users via new threats and attack methods. As it noted in its research:Nowadays, cybercriminals have a thousand and one ways of creating and spreading ransomware. There are two common scenarios behind the creation of this kind of malware: in one, the criminals prefer to just reconfigure existing malicious source code; in the other, they choose to write their own ransomware, sometimes even using very specific languages.Organizations should act upon Kaspersky’s findings to protect themselves against crypto-malware families which are more difficult to crack than Yatron and FortuneCrypt. This resource is a good place to start.