New Ransomware-as-a-Service ‘Yatron’ promoted via Twitter

• Yatron has the ability to distribute via P2P programs by copying the ransomware executable to default folders used by programs like Kazaa, Ares, eMule, and more.
• This ransomware could also delete the encrypted files if a payment has not been made within 72 hours.

A new Ransomware-as-a-Service named ‘Yatron’ is being promoted via Twitter. The RaaS is offered for a single payment of $100.

What is a RaaS - A Ransomware-as-a-Service is a service that offers ransomware and a payment server for cybercriminals and would be hackers to distribute the ransomware and infect victims by signing up to the service.

The ransom payment received from victims will be then shared by the member and the service provider.

Yatron RaaS - A security researcher who goes under the name ‘A Shadow’ notified BleepingComputer about the Yatron RaaS. Later, BleepingComputer analyzed the source code of the Yatron Ransomware with the help of another researcher named Michael Gillespie.

More details on the analysis

• Yatron ransomware when executed, will scan the targeted system for files and encrypts them.
• The encrypted files are appended with the .yatron extension.
• The ransomware will then send the encryption password and unique ID back to its C&C server.

Gillespie noted that Yatron is based on HiddenTear, but its encryption algorithm has been modified so that it cannot be decrypted.

Worth noting

• Yatron ransomware includes code to distribute to Windows machine via EternalBlue and DoublePulsar exploits. However, the code is incomplete and therefore the ransomware currently does not include the Eternalblue-2.2.0.exe and Doublepulsar-1.3.1.exe executables.
• Yatron has the ability to distribute via P2P programs by copying the ransomware executable to default folders used by programs like Kazaa, Ares, eMule, and more.
• This ransomware could also delete the encrypted files if a payment has not been made within 72 hours. However, users can terminate the ransom process to prevent the files from being deleted by using a tool like Process Explorer running as an Administrator.

Features of Yatron RaaS

Yatron RaaS offers FUD ransomware and FUD decryptor with the following features,

• Ability to encrypt all discs and files
• Ability to delete shadow copy
• Ability to bypass UAC
• Ability to spread via P2P, USB, and LAN
• Ability to Anti Kill process