A report has been released providing information regarding new samples of the Yanluowang ransomware. The recent report shed light on the ransomware operations that targeted U.S. corporations since August.

The analysis

According to Trend Micro, the ransomware samples have few detections but they most likely enter a system via remote desktop tools.
  • One distinguishing element found in the ransomware samples is that the files are code-signed with a valid digital signature, which could either be stolen or fraudulently signed.
  • Upon execution, the ransomware terminates certain processes related to managing databases (Veeam/SQL). It leads to the loss of access to backup files and increased pressure on victims.
  • The ransomware tries to terminate a few more processes using command prompt if they match specific strings, such as mysql*, veeam*, chrome*, iexplore*, firefox*, and outlook*.

More capabilities

  • Besides terminating the aforementioned processes, the ransomware forcefully stops certain services using the net stop command line that includes the likes of SQLWriter, WinDefend, mr2kserv, and SPTimerV4, and others.
  • Additionally, the ransomware terminates running virtual machines forcefully using a particular command line.
  • The ransomware encrypts the files by appending a (.yanluowang) extension and finally drops the ransom note.


The recent report on Yanluowang ransomware helps security researchers with a better understanding of its operations. It will aid enterprises in creating security frameworks for ransomware defense. Additionally, enterprises should focus on protecting their backup management software to avoid any mishaps.

Cyware Publisher