Home > Cyber News > Yatron RaaS Appends .yatron Extension, Aims to Utilize EternalBlue Exploit
CYBER NEWS

Yatron RaaS Appends .yatron Extension, Aims to Utilize EternalBlue Exploit


Yatron is the name of a new ransomware-as-a-service which is currently being advertised on Twitter. Apparently, the ransomware plans to use the [wplinkpreview url=”https://sensorstechforum.com/eternalblue-exploit-backdoor-nitol-gh0st/”] EternalBlue and DoublePulsar exploits for distribution purposes.

Threat Summary

Name Yatron
Type Ransomware, Cryptovirus, RaaS
Short Description The ransomware encrypts files on your computer and displays a ransom message afterward.
Symptoms The ransomware will encrypt your files and put up a ransom note inside a text file.
Distribution Method Spam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by malware

Download

Malware Removal Tool

User Experience Join Our Forum to Discuss Yatron.
Data Recovery Tool Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.yatron Ransomware – Update October 2019

The good news for all victims of Yatron ransomware (.yatron files) is that security researchers have cracked the code of this variant and released a decrypter.

So the moment you remove all malicious files and objects from your infected system you can download the decryption tool and then restore your files.

The decryptor is made by Kaspersky and used successfully for the decryption of many other ransomware viruses.

Yatron Ransomware-as-a-Service in Detail

The Yatron ransomware is set to delete victims’ encrypted files in case a payment hasn’t been made in 72 hours. Once executed, the ransomware scans the targeted system for specific files and encrypts them appending the .Yatron extension.

Once the encryption process is finished, the ransomware sends the encryption password and unique ID to the command and control server. Security researcher Michael Gillespie, Yatron is based on the well-known RaaS HiddenTear. However, the encryption algorithm has been altered in such a way that decryption with known methods is rather impossible.

However, the most interesting part of the ransomware is that it contains code meant to use the EternalBlue and DoublePulsar exploits to propagate on Windows computers on the same network via SMBv1 security vulnerabilities.
The good news is that the code that should utilize the exploits is unfinished, and Yatron is currently not utilizing the Eternalblue-2.2.0.exe and Doublepulsar-1.3.1.exe executable files.

Another thing the ransomware tries to do is to spread via peer-to-peer programs by copying its executable to default folders. Once the p2p program is started, the ransomware will automatically be shared by the p2p client.
As for Yatron’s ransom note, it says the following:

Your personal files are encrypted By Yatron
Oops ,Your Files Have Been Encrypted
your important files are encrypted !
Your documents, photos, databases and Other personal files are encrypted ?
the files that you looked for not readable ?
We are the only ones who can decrypt your files Through the unique key.
what should I do for decrypting my files?
If you want to recover your files, you must purchase a the unique key
send 0.5 btc to the payment address : ***
Send us your ID after your payment
Email to contact us : yatron_Decryptor@mail.ru
As proof you can email us 2 files to decrypt and we will send you the recover files to prove that we can decrypt your files

you have 3 Days to pay or Your files will be deleted

So far, security researchers believe that no one has paid to use the ransomware. Nonetheless, users should be on the lookout since RaaS pieces are known to quickly gain popularity among cybercriminals.

Remove Yatron (.yatron) Ransomware

If your computer got infected with Yatron ransomware, you should have a bit of experience in removing malware. You may want to remove the ransomware as quickly as possible before it gets the chance to spread further and infect other computers. Keep in mind that ransomware-as-a-service pieces such as Yatron may quickly adopt other extensions.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:
Twitter

Leave a Comment

Your email address will not be published. Required fields are marked *

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Privacy Policy.
I Agree