Remove ChinaYunLong Ransomware - Restore .yl Files
THREAT REMOVAL

Remove ChinaYunLong Ransomware – Restore .yl Files

OFFER

SCAN YOUR PC
with SpyHunter

Scan Your System for Malicious Files
Note! Your computer might be affected by ChinaYunLong and other threats.
Threats such as ChinaYunLong may be persistent on your system. They tend to re-appear if not fully deleted. A malware removal tool like SpyHunter will help you to remove malicious programs, saving you the time and the struggle of tracking down numerous malicious files.
SpyHunter’s scanner is free but the paid version is needed to remove the malware threats. Read SpyHunter’s EULA and Privacy Policy

ChinaYunLong-ransomware-desktop-wallpaper-sensorstechforum

This article provides detailed information about ChinaYunLong ransomware, its complete removal from the infected PC and alternative .yl data recovery approaches.

ChinaYunLong is data locker ransomware that renames corrupted files with the malicious extension .yl and blackmails victims into paying ransom for the decryption key. At the end of infection, ChinaYunLong replaces desktop wallpaper with an image that depicts a figure with the famous Anonymous mask. Additionally, a window called China Yun Long pop ups on the screen. The text on the pop up is supposed to be the ChinaYunLong ransom note. However, it appears to be completely crabbed due to eventual encoding errors.

Threat Summary

NameChinaYunLong
TypeRansomware, Cryptovirus
Short DescriptionThe ransomware encrypts files on your computer and displays an unreadable ransom message afterward.
SymptomsThe ransomware will encrypt your valuable files and rename them with the .yl file extension.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by ChinaYunLong

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss ChinaYunLong.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

ChinaYunLong Ransomware – Distribution

The methods employed for ChinaYunLong ransomware distribution are believed to be the usual ones. The widely used spam emails are the preferred method of infection. Hackers use various social engineering tactics to trick users into downloading malicious file attachment or clicking corrupted web link. File attachments are extremely insidious as they trigger the ransomware infection as soon as they are started on the system. They come in different file formats – documents (with malicious macros), PDFs (with malicious JavaScript code), archived files in ZIP or RAR format, and other types of frequently used data. The email text generally presents the files as legal documents, invoices, vouchers, receipts, data reports, etc. In case that the malicious ChinaYunLong ransomware payload is injected into a web page, may land on the PC at the moment you open the site via the so called drive by download attack. Another way to infect with ChinaYunLong ransomware is through downloading various files via BitTorrent trackers and malicious or hacked download sites. Currently, its primary target seems to be Chinese speaking users who do not exclude attacks against users worldwide.

ChinaYunLong Ransomware – Overview

The infection process of ChinaYunLong ransomware begins once its payload is running on the system. The file is programmed to perform various system modifications, terminate and end processes to complete the attack. For the purpose, ChinaYunLong crypto virus is believed to establish a connection with its command and control server and then drop additional malware files on the PC. This connection can also be used for the data decryption key once it is generated. Data associated with the ransomware may be situated in the following folders:

  • %USERPROFILE%\Desktop\China Yun Long.exe
  • %PROGRAMFILES%\China Yun Long
  • %PROGRAMFILES%\Second Resurrection
  • %PROGRAMFILES%\Resurrection
  • %WINDIR%\Resurrection.exe
  • %USERPROFILE%\Desktop\China Yun Long.exe
  • C:\Second Resurrection.exe
  • C:\yl.ini

Next ChinaYunLong can open Registry editor to create new values under the keys Run and RunOnce in order to set the automatic execution of its payload each time the Windows operating system starts. Some values created in these keys allow the ransomware to replace the desktop wallpaper with ransomware associated image and display its ransom message on the PC screen. The ransom note is contained in a window that depicts the popular “Anonymous” mask and text that cannot be read as it contains only strange symbols. It is programmed to appear as a pop-up window that is named China Yun Long.

china-yun-long-pop-up-window-ransom-note-sensorstechforum

On it is provided a field which probably should be used for the decryption key. The ransomware seems to be in development, and its detected samples may be released in a test campaign. Users whose machines are infected with ChinaYunLong ransomware are strongly advised to delete the threat and avoid ransom payment. Otherwise, you risk losing your money for a decryption key that is completely broken or missing at all.

ChinaYunLong Ransomware – Encryption

For the encryption process ChinaYunLong crypto virus first initiates a scan process of all drives. During the scan the ransomware compares each file stored on the system with files set as targets. Target data is predefined in its code as a list of various file extensions. The full list includes:

.7z, .asp, .avi, .bak, .doc, .docx, .dps, .e, .et, .excel, .h, .htm, .html, .jpg, .mp3, .mp4, .pdf, .php, .png, .ppt, .pptx, .rar, .txt, .word, .wps, .xls, .xlsx, .zip

ChinaYunLong encrypts frequently used files that contain valuable information like documents, images, photos, videos, music, archives, databases, projects and other.

Once the threat encrypts a file, it becomes completely unusable until the decryption key is applied. Corrupted data can also be recognized by the file extension .yl that is appended to the file name. At this point no information about the used encryption algorithm is available. Hopefully, security researchers will be able to crack the code of ChinaYunLong ransomware and release freely available decryption tool for .yl files. Meanwhile, after the ransomware removal, some alternative data recovery tools may be of a help for the encrypted files.

Remove ChinaYunLong Ransomware and Restore .yl Files

ChinaYunLong ransomware should be removed from the infected machine as it cannot be used regularly as long as the threat is running on it. Leaving the ransomware code on the PC will allow it to encrypt each new file you create and display its objects each time you start the Windows OS. Furthermore, once it is gone, you can try to recover part of .yl files by following our instructions in the guide below. The ChinaYunLong ransomware removal can be completed either manually or automatically.

Note! Your computer system may be affected by ChinaYunLong and other threats.
Scan Your PC with SpyHunter
SpyHunter is a powerful malware removal tool designed to help users with in-depth system security analysis, detection and removal of threats such as ChinaYunLong.
Keep in mind, that SpyHunter’s scanner is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter’s malware removal tool to remove the malware threats. Read our SpyHunter 5 review. Click on the corresponding links to check SpyHunter’s EULA, Privacy Policy and Threat Assessment Criteria.

To remove ChinaYunLong follow these steps:

1. Boot Your PC In Safe Mode to isolate and remove ChinaYunLong files and objects
2. Find files created by ChinaYunLong on your PC

Use SpyHunter to scan for malware and unwanted programs

3. Scan for malware and unwanted programs with SpyHunter Anti-Malware Tool
Gergana Ivanova

Gergana Ivanova

Gergana has completed a bachelor degree in Marketing from the University of National and World Economy. She has been with the STF team for three years, researching malware and reporting on the latest infections. She believes that in times of constantly evolving dependency of network connected technologies, people should spread the word not the war.

More Posts

Follow Me:
Google Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...