Yatron is the name of a new ransomware-as-a-service which is currently being advertised on Twitter. Apparently, the ransomware plans to use the [wplinkpreview url=”https://sensorstechforum.com/eternalblue-exploit-backdoor-nitol-gh0st/”] EternalBlue and DoublePulsar exploits for distribution purposes.
|Type||Ransomware, Cryptovirus, RaaS|
|Short Description||The ransomware encrypts files on your computer and displays a ransom message afterward.|
|Symptoms||The ransomware will encrypt your files and put up a ransom note inside a text file.|
|Distribution Method||Spam Emails, Email Attachments|
See If Your System Has Been Affected by malware
Malware Removal Tool
|User Experience||Join Our Forum to Discuss Yatron.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
.yatron Ransomware – Update October 2019
The good news for all victims of Yatron ransomware (.yatron files) is that security researchers have cracked the code of this variant and released a decrypter.
So the moment you remove all malicious files and objects from your infected system you can download the decryption tool and then restore your files.
The decryptor is made by Kaspersky and used successfully for the decryption of many other ransomware viruses.
Yatron Ransomware-as-a-Service in Detail
The Yatron ransomware is set to delete victims’ encrypted files in case a payment hasn’t been made in 72 hours. Once executed, the ransomware scans the targeted system for specific files and encrypts them appending the .Yatron extension.
Once the encryption process is finished, the ransomware sends the encryption password and unique ID to the command and control server. Security researcher Michael Gillespie, Yatron is based on the well-known RaaS HiddenTear. However, the encryption algorithm has been altered in such a way that decryption with known methods is rather impossible.
However, the most interesting part of the ransomware is that it contains code meant to use the EternalBlue and DoublePulsar exploits to propagate on Windows computers on the same network via SMBv1 security vulnerabilities.
The good news is that the code that should utilize the exploits is unfinished, and Yatron is currently not utilizing the Eternalblue-2.2.0.exe and Doublepulsar-1.3.1.exe executable files.
Another thing the ransomware tries to do is to spread via peer-to-peer programs by copying its executable to default folders. Once the p2p program is started, the ransomware will automatically be shared by the p2p client.
As for Yatron’s ransom note, it says the following:
Your personal files are encrypted By Yatron
Oops ,Your Files Have Been Encrypted
your important files are encrypted !
Your documents, photos, databases and Other personal files are encrypted ?
the files that you looked for not readable ?
We are the only ones who can decrypt your files Through the unique key.
what should I do for decrypting my files?
If you want to recover your files, you must purchase a the unique key
send 0.5 btc to the payment address : ***
Send us your ID after your payment
Email to contact us : yatron_Decryptor@mail.ru
As proof you can email us 2 files to decrypt and we will send you the recover files to prove that we can decrypt your files
you have 3 Days to pay or Your files will be deleted
So far, security researchers believe that no one has paid to use the ransomware. Nonetheless, users should be on the lookout since RaaS pieces are known to quickly gain popularity among cybercriminals.
Remove Yatron (.yatron) Ransomware
If your computer got infected with Yatron ransomware, you should have a bit of experience in removing malware. You may want to remove the ransomware as quickly as possible before it gets the chance to spread further and infect other computers. Keep in mind that ransomware-as-a-service pieces such as Yatron may quickly adopt other extensions.