A threat actor linked to the Thieflock ransomware operation may now be using the Yanluowang ransomware, according to new research. The ransomware was used in multiple attacks against U.S. entities.
What has happened?
Researchers at Symantec spotted the connection between Thieflock and Yanluowang ransomware in October when the latter was found targeting large entities in the U.S.
- Yanluowang ransomware has been active since August and targeted companies in the IT services, manufacturing, engineering, and consultancy sectors.
- Researchers believe that the attackers are highly attack-oriented because the ransomware behavior hasn’t altered since its discovery.
How the connection was formed
Researchers spotted a link between the new attacks by Yanluowang ransomware attacks and older attacks of Thieflock, a RaaS created by the Canthroid group (aka Fivehands).
- For lateral movement, Yanluowang attackers deploy Adfind, SoftPerfect Network Scanner, or netscan.exe, which is similar to what has been observed in Thieflock attacks.
- Multiple tools (GrabFF, GrabChrome, and BrowserPassView) are used in the next stage of the attack for credential theft. The same tools were used by Thieflock attackers in their attacks.
Researchers believe that one or more cybercriminals groups deployed Thieflock in their earlier attacks and they are also involved in deploying Yanluowang ransomware in their attacks.
Ending notes
Partners or affiliates of ransomware groups often move to different groups when they see greater financial benefits. Moreover, this trend is observed when they are facing heat from law enforcement. Whichever be the case with Thieflock, organizations are recommended to implement a robust anti-ransomware strategy.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/d2b0_shutterstock_1101060608.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/0a21_shutterstock_153175439.jpg)
