[BreachExchange] Yatron Ransomware Plans to Spread Using EternalBlue NSA Exploits

Destry Winant destry at riskbasedsecurity.com
Thu Mar 14 03:42:20 EDT 2019


A new Ransomware-as-a-Service called Yatron is being promoted on
Twitter that plans on using the EternalBlue and DoublePulsar exploits
to spread to other computer on a network. This ransomware will also
attempt to delete encrypted files if a payment has not been made in 72

BleepingComputer was first notified about the Yatron RaaS by a
security researcher who goes by the name A Shadow. Since then, the
actor behind this ransomware has strangely been promoting the service
by tweeting to various ransomware and security researchers as shown

After seeing one of these tweets, BleepingComputer was able to find a
sample on VirusTotal and with the help of Michael Gillespie, we
started to examine the source code of the ransomware.

Like any other ransomware, when executed it will scan the computer for
targeted files and encrypt them. When encrypting a file, it will
append the .Yatron extension to an encrypted file's name as shown

After it has finished encrypting files, it will send the encryption
password and unique ID back to the ransomware's command and control
server. According to Gillespie, this ransomware is based off of
HiddenTear, but its encryption algorithm has been modified so that it
cannot be decrypted using current methods.

Once the encryption is done, things begin to get more interesting.

Yatron contains code to utilize the EternalBlue and DoublePulsar
exploits to spread to Windows machines on the same network using SMBv1
vulnerabilities that should have been patched a long time ago.
Thankfully, the code to utilize these exploits is incomplete and the
ransomware does not currently include the Eternalblue-2.2.0.exe and
Doublepulsar-1.3.1.exe executables that it relies on.

You can see, though, some of the code that attempts to configure
variables that will be used to execute the exploit commands in the
screenshot below..

The next screenshot is the ransomware trying to trigger these exploits
if the required executables existed on the computer.

In addition to exploiting vulnerabilities, Yatron will attempt to
spread via P2P programs by copying the ransomware executable to
default folders used by programs like Kazaa, Ares, eMule, and more.
The goal is that when these programs are started, the ransomware will
automatically be shared by the P2P client.

When finished, the ransomware will display an interface that contains
a 72 hour countdown until the encrypted files are deleted.  To protect
files from being deleted, a user can simply terminate the ransom
process using a tool like Process Explorer running as an

As the sample we analyzed may not be the most up-to-date, some of the
above features may have changed or become fully functional. If we find
a newer sample, we will update the article as needed.

Promoted as a RaaS

Yatron is promoted as a Ransomware-as-a-Service, but does things a bit
differently than most RaaS services.

Typically, when wannabe criminals join a RaaS, the developer takes a
revenue share of all submitted ransom payments. For example, some RaaS
services will take 20% of all ransom payments, while the
affiliate/distributor earns the remaining 80%.

Like another recent RaaS called Jokeroo, the developer of Yatron is
selling access to the RaaS for $100 in bitcoins and then there is no
fee going forward. This new model is being used as most RaaS services
do not earn any money and by having affiliates buy into it, the
ransomware developers earn some revenue up front.

Like all RaaS offerings, Yatron promises a FUD executable, the ability
to encrypt a computer, and the deletion of shadow copies. As described
earlier in the article, this ransomware also aims to be able to spread
via P2P, USB, and LAN.

At the time of this writing, no one has paid to gain access to this ransomware.

More information about the BreachExchange mailing list