New Yanluowang ransomware used in targeted corporate attacks


New Yanluowang ransomware used in targeted corporate attacks

As Broadcom’s Symantec Threat Hunter team discovered, a new strain of ransomware still in development is being used in highly targeted attacks against corporate entities.

The malware, dubbed Yanluowang ransomware (after Chinese deity Yanluo Wang, one of the Ten Kings of Hell) is based on the extension it adds to encrypted files on compromised systems.

It was recently spotted while investigating an incident involving a leading organization after detecting suspicious activity involving the legitimate AdFind command-line Active Directory query tool.

AdFind is commonly used by ransomware operators for reconnaissance tasks, including accessing information needed for lateral movement through their victims’ networks.

Victims warned not to ask for help

Days after researchers spotted the suspicious use of AdFind, attackers also attempted to deploy their Yanluowang ransomware payloads to the breached organization’s systems.

Before being deployed to compromised devices, ransomware operators launch a malicious tool designed to do the following:

  • Create a .txt file with the number of remote machines to check in the command line
  • Uses Windows Management Instrumentation (WMI) to get a list of processes running on remote machines listed in the .txt file
  • Records all processes and remote machine names in process.txt

Once deployed, Yanluowang will shut down the hypervisor virtual machines, terminate all processes harvested by the forerunner (including SQL and Veeam), encrypt files, and add the .yanluowang extension.

On encrypted systems, Yanluowang also files a ransom note named README.txt which warns its victims not to contact law enforcement or seek help from ransomware trading firms.

Yanluowang ransom note
Ransom note from Yanluowang (Broadcom Symantec Threat Hunter team)

Threats of DDoS attacks

“If attackers’ rules are broken, ransomware operators say they will carry out distributed denial of service (DDoS) attacks against victim, as well as’ calls to employees and business partners’,” the researchers added. from Broadcom.

“Criminals are also threatening to repeat the attack ‘in a few weeks’ and to delete victim data,” a common tactic used by most ransomware gangs to pressure their victims to pay the ransom.

Indicators of compromise, including malware hashes, are available at the end of the Symantec Threat Hunter team report.

Even though it is under development, Yanluowang is still dangerous malware as ransomware is one of the biggest threats organizations face worldwide.

The White House National Security Council is hosting a series of meetings this week between senior officials from more than 30 countries as part of a virtual international anti-ransomware event to join US efforts to suppress ransomware cybercrime groups.

After the ransomware attacks on Colonial Pipeline and JBS this summer, Deputy National Security Advisor Anne Neuberger also called on US companies to take ransomware seriously.


Please enter your comment!
Please enter your name here