Yatron ransomware contains malicious EternalBlue and DoublePulsar to exploit targeted PC

Yatron ransomware

The Yatron ransomware is one that scans the targeted Computer for specific files and encrypts them by using RaaS cryptography. Immediate after that it appends the filenames by .Yatron extension and makes the files inaccessible.

Once the encrypted process is finished, the ransomware generates .txt file which contains a short message. The message states that the victims have to pay ransom fee within 72 hours to the developers otherwise the encrypted files will be deleted.

The ransomware sends the encryption passwords and unique code to the command and control server.  On the ransom note, developers supposedly claim to provide the decryption when the ransom fee is made.

According to Cyber-security researcher Michael Gillespie, Yatron is based on HiddenTear but since the encryption algorithm has been modified so that it cannot be decrypted by using known methods.

Malicious codes on Yatron to cause EternalBlue and DoublePulsar exploits

For your information, EternalBlue is a SMBv1 remote code execution exploit that allows the Cybercriminals behind the threat to compromise vulnerabilities Windows hosts. On the other hand, the DoublePulsar is a backdoor is used by them to upload a specific payload to an infected host. Analysis states that the Yatron Ransomware-as-a-service contains that codes which meant to be used to propogate these two exploits on the same network via SMBv1 security vulnerabilities.

These codes will make the ransomware more dangerous. Apart from encrypting the files and makes them inaccessible, it can create the risk of system vulnerabilities. Some major risks these will create, if they have these two codes propagate on the network and install on the system with the ransomware are:

  • The ransomware can cause the issues on the system by causing various issues inside. The code Eternalblue-2.2.0 exe will process on the task manager and on multiple locations all the time. It modifies the Windows registry keys, Command prompt, DNS configurations etc. In short, it will alter the PC performance will make it respond slower than ever before.
  • The ransomware intrude with the code Doublepulsar-1.3.1.exe which meant the Cybercriminals can upload other malicious malware inside the infected host. These malware will intrude altogether and conduct numerous activities that will cause major damages to the PC.

Currently, the two codes are unfinished and thus the Yatron is currently not utilizing the Eternalblue-2.2.0.exe and Doublepulsar-1.3.1.exe executable files. Nevertheless, its decryter is not being created by Cyber-security experts, thus it has been distributed widespread now a days and tension to several Cyber-security experts.