FANDOM


Yatron is a ransomware that runs on Microsoft Windows. It spreads by using EternalBlue and DoublePulsar exploits via the SMBv1 vulnerability.

Payloads

When executed, it will scan the computer for targeted files and encrypt them. When encrypting a file, it will append the .Yatron extension to an encrypted file's name. 

After it has finished encrypting files, it will send the encryption password and unique ID back to the ransomware's command and control server. According to Gillespie, this ransomware is based off of HiddenTear, but its encryption algorithm has been modified so that it cannot be decrypted using current methods.

Yatron will attempt to spread via P2P programs by copying the ransomware executable to default folders used by programs like Kazaa, Ares, eMule, and more. The goal is that when these programs are started, the ransomware will automatically be shared by the P2P client.

When finished, the ransomware will display an interface that contains a 72 hour countdown until the encrypted files are deleted. To protect files from being deleted, a user can simply terminate the ransom process using a tool like Process Explorer running as an Administrator.

The text file the ransomware drops says:

Your personal files are encrypted By Yatron
Oops ,Your Files Have Been Encrypted
your important files are encrypted !
Your documents, photos, databases and Other personal files are encrypted ?
the files that you looked for not readable ?
We are the only ones who can decrypt your files Through the unique key.
what should I do for decrypting my files?
If you want to recover your files, you must purchase a the unique key
send 0.5 btc to the payment address : ***
Send us your ID after your payment
Email to contact us : yatron_Decryptor@mail.ru
As proof you can email us 2 files to decrypt and we will send you the recover files to prove that we can decrypt your files

you have 3 Days to pay or Your files will be deleted
Community content is available under CC-BY-SA unless otherwise noted.