Helping the victims of Yatron and FortuneCrypt ransomware

October 8, 2019

Ransomware has been and remains a big headache for both users and experts alike. It is not a simple task to recover files encrypted by ransomware, and in many cases it’s impossible. But we have good news for the victims of Yatron and FortuneCrypt malware: Kaspersky experts have developed and published decryptors for the files this particular malware encrypts.

Victims of Yatron and FortuneCrypt ransomware can recover their encrypted files by downloading a decryptor from the No More Ransom website

How to decrypt files encrypted by Yatron

Yatron ransomware is based on another encryptor, Hidden Tear, which has an unusual story. A few years ago, Turkish researcher Utku Sen created this malware for educational and research purposes and uploaded the source code to the Internet. The legacy of this software is still with us all; experts continue to find new ransomware based on it, and Yatron is just one such example.

Fortunately, vulnerabilities were found in the Yatron code, and our experts took advantage of them to create a decryptor. If you see a *.yatron extension on any locked files, then go to the No More Ransom website to download a decryption tool that will recover your files.

How to decrypt files encrypted with FortuneCrypt

The second ransomware package is also difficult to call a masterpiece — er, hackerpiece? Instead of using advanced languages like C/C++ and Python, the creators of FortuneCrypt wrote it in BlitzMax, a fairly simple language that is a kind of turbocharged BASIC. In the history of our research into malware tracking, we had never before encountered this language.

Our experts found that the malware’s encryption algorithm is far from perfect, and that allowed them to develop a decryptor for it. As with Yatron, FortuneCrypt victims can download a decryption tool from the No More Ransom portal.

What to do about ransomware on your computer

First of all, do not pay the ransom. Paying only encourages criminals, and it is no guarantee you will be able to recover your data. The best course of action is to go to the No More Ransom website, which was created by experts from several cybersecurity companies and law enforcement agencies from all over the world, including Kaspersky, Interpol, and the Dutch police, to alleviate the plight of ransomware victims. The website contains decryptors for hundreds of ransomware programs, and of course they are all free.

How to protect yourself from ransomware extortionists

Finally, some tips on how to avoid becoming a victim:

  • Do not download programs from unknown and suspicious websites. Even if the name of the program looks right, the package may contain something completely different and dangerous.
  • Do not click on links and do not open file attachments to e-mails from unknown recipients. If you receive a suspicious and unexpected message from a friend or colleague, call them to clarify whether the file is safe to open.
  • Make sure to install the latest updates for your operating system and the programs that you use regularly. This will help you to steer clear of the vulnerabilities that ransomware makers take advantage of.
  • Install a reliable antivirus app and never disable it, even if certain programs ask you to.
  • Perform backups of important data and store that data in the cloud, on a flash drive, or on an external drive.