On Monday 18th of April 2022, Kaspersky, a Russian cybersecurity firm announced that they had found a vulnerability in Yanluowang ransomware’s encryption algorithm, which makes it possible to recover files it encrypts. Kaspersky has stated they’ve added support for decrypting files locked by the Yanluowang ransomware strain to their free RannohDecryptor utility.
Yanluowang ransomware strain has been observed to encrypt files which are bigger than 3GB by partially encrypting them in 5MB stripes after every 200MB. It has also been observed using a different method to encrypt files that are smaller than 3GB which results in these smaller files being entirely encrypted from start to end.
Therefore, as the ransomware strain uses two different methods to encrypt, there are two sets of requirements for decrypting small and large files. For the decryption of small files (less than or equal to 3 GB), a pair of files with a size of 1024 bytes or more is required and will allow for the decryption of all small files but won’t decrypt files larger than 3GB. For files which are larger than 3 GB, a pair of files (encrypted and original) no less than 3 GB in size each is required and will allow for the decryption of all files on an infected system including both large and small files.