YAYA Ransomware Description
After analyzing the YAYA Ransomware's underlying code, infosec researchers determined that the threat is not wholly unique and is a variant belonging to the Globe Imposter Ransomware family. As such, the YAYA Ransomware operates in the typical for such a threat way. It tries to sneak itself onto the targeted computer before proceeding to initiate its encryption process that affects nearly all of the most widely used file types - photos, documents, audio, video, databases, etc. After encryption, users will no longer be able to access their personal or business-related files.
The malware threat will modify the name of every file it affects by appending '.YAYA' as a new extension. A note with instructions will be dropped in the form of an Html file named 'how_to_back_files.html.' The hackers do not specify the exact amount they want to receive in exchange for the decryptor tool or if the money must be paid by using one of the numerous cryptocurrencies. They do clarify that users will receive further instructions after initiating contact through the 'firstname.lastname@example.org' email address. An alternate address is also provided - 'email@example.com.' Affected users are allowed to attach a signal image or text file to the emails to be decrypted for free.
The full set of instructions delivered by YAYA Ransomware is:
'YOUR PERSONAL ID
YOUR FILES ARE ENCRYPTED!
TO DECRYPT, FOLLOW THE INSTRUCTIONS BELOW.
To recover data you need decryptor.
To get the decryptor you should:
Send 1 crypted test image or text file or document to firstname.lastname@example.org
(Or alternate mail email@example.com )
In the letter include your personal ID (look at the beginning of this document).
We will give you the decrypted file and assign the price for decryption all files
After we send you instruction how to pay for decrypt and after payment you will receive a decryptor and instructions We can decrypt one file in quality the evidence that we have the decoder.
Do not contact other services that promise to decrypt your files, this is fraud on their part! They will buy a decoder from us, and you will pay more for his services. No one, except firstname.lastname@example.org, will decrypt your files.
Only email@example.com can decrypt your files
Do not trust anyone besides firstname.lastname@example.org
Antivirus programs can delete this document and you can not contact us later.
Attempts to self-decrypting files will result in the loss of your data
Decoders other users are not compatible with your data, because each user's unique encryption key.'
Globe Imposter Ransomware Is Anything But an Imitation
Security researchers created a free file-unlocking tool for Globe Imposter in 2016, but new malware versions make this tool unusable. Experts warn it is unlikely to work with the latest version of the virus, including other family members. Viruses such as this continue to warn us that we can’t take threats at face-value anymore.
In the case of YAYA ransomware, malware researchers regularly see variations in the wild with random file names and no information on the infection vector, such as Trojan droppers or digital signatures used for distribution. YAYA Ransomware cuts off access to most common file types, including documents, music, images, videos, spreadsheets, archives, and other files. Please be aware that while the virus does change the file extension of infected files, changing it back won’t do you any good. Globe Imposter variants often come with the ability to delete Restore Points and other internal file-recovery methods. However, researchers haven’t seen YAYA doing this.
YAYA aims to cut off access to potentially irreplaceable files and media to coerce users into paying a ransom. Payment could do more harm than good, however. There is no guarantee that the attackers will live up to their end of the bargain. Rather than dealing with the ransomware, users should take steps to protect their computers and create file backups.
Preventing ransomware like this from getting on your computer is easier than it sounds. You can take some simple steps, but these are things you should be doing anyway for the sake of your computer and privacy. Experts recommend;
- Creating strong passwords to prevent hackers from forcing their way into accounts
- Avoid activating scripts and macros on documents and spreadsheets
- Update your operating system and software regularly using legitimate updates and avoid using fake updates
More often than not, viruses require some human action to infect a computer, such as opening a malicious email attachment. The good news is that antivirus programs should catch and block the infection even if you fall for these tricks. Listen to your antivirus software when it tells you something is a trap.
YAYA Ransomware is another in a long line of file-encryption viruses that take advantage of user carelessness. It might not seem like a big deal to not have a data backup, but it’s too late to realize you need one after a ransomware attack. It’s better to be safe than sorry, so create at least two backups of your data – one offline and one online – and invest in robust antivirus computer security to keep your machine safe.