A warning has been issued regarding a new Yanluowang ransomware variant being actively used in targeted attacks.
About Yanluowang ransomware
The ransomware was discovered by Symantec while investigating an attack targeting a high-profile organization.
- If victims try to contact the police or go for third-party help, they are threatened with DDoS attacks and calls to employees/business partners if ransom demands are not met.
- In further threat, the victims are threatened with another attack in a few weeks and deletion of their data.
The word ‘Yanluowang’ refers to a Chinese deity related to the underworld. However, besides this, there is no other additional information available regarding the origin of this group.
How does the attack work?
The attackers behind the ransomware have used the genuine AdFind command line Active Directory query tool. The tool helps in reconnaissance and lateral movement.
- Prior to Yanluowang being downloaded, another tool creates a .txt file with the number of remote machines for checking in the command line and uses Windows Management Instrumentation (WMI) to obtain a running processes list.
- Subsequently, it logs all the processes and remote machine names. Further, it stops all running hypervisor machines, terminates processes listed in the .txt file, encrypts files, and drops a ransom note.
Conclusion
Yanluowang ransomware operators appear to be interested in performing targeted attacks. According to researchers, the ransomware is yet to mature as some development in its code could be observed in the near future.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/5ff6_shutterstock_1938861706.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/d1d7_shutterstock_1988587613.jpg)
