Kaspersky updates decryption tool to fight ransomware pair

26 September 2019
Kaspersky has updated its RakhniDecryptor tool to allow users whose files were encrypted by Yatron and FortuneCrypt ransomware to retrieve their data without paying a ransom. The updated tool is available on the Nomoreransom.org website.


No-More-Ransom


Ransomware is a dangerous threat to consumers and businesses, with new types of malware being developed rapidly by cybercriminals every day, in order to victimize users. Once locked out of files, corporations and home users are at the mercy of empowered cybercriminals who demand substantial amounts of money to regain access to their information.

Yatron and FortuneCrypt are typical examples of this kind of malware. Yatron is the part of a so called ransomware-as-a-service affiliate program and its developers were reported to be planning to use the infamous EternalBlue and DoublePulsar exploits (malicious programs that use vulnerabilities in legal software to distribute other malicious software) as a propagation tool for the malware. While encrypting the victims’ files, this ransomware changes their extension to ‘.Yatron’. Kaspersky has developed a tool that is capable of recognizing such files and bringing them back to a normal state.

The other variant of ransomware – FortuneCrypt – is unusual as it is written with a BlitzMax compiler based on publicly available information and is a programming framework developed specifically for those involved in the first steps of video games development. Both ransomware variants contain issues in how they deal with the victims’ files, and this allowed Kaspersky researchers to find ways of undoing the damage this malware caused.

For those users who become victims of a ransomware attack and are left locked out of their files or devices, Kaspersky recommends taking the following steps:

  • Do not pay the ransom if a device has been locked. Paying extortionate ransoms only encourages cybercriminals to continue their attacks
  • Contact your local law enforcement agency and report the attack
  • Try to find out the name of the ransomware Trojan. This information can help cybersecurity experts decrypt the threat and retain access to your files
  • Back-up your files so they can be recovered should an attack happen
  • Keep your cybersecurity solution up-to-date by always installing the latest software patches
No-More-Ransom

Both the Yatron and FortuneCrypt decryptors have been added to the Kaspersky RakhniDecryptor tool. They can be downloaded from the No More Ransom website – a project launched by the Dutch National Police, Europol, McAfee and Kaspersky in 2016. The project involves cybersecurity experts and law enforcement agencies working together to share solutions and stop the scourge of ransomware.

About Kaspersky
Kaspersky is a global cybersecurity company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 270,000 corporate clients protect what matters most to them.