Warnings about ransomware strain called Yanluowang
Posted by: GuidePoint Security
Published 12/8/21, 9:00am
A new ransomware strain dubbed Yanluowang (after a Chinese deity and one of the ten kings of hell) is targeting the US financial sector, with additional attacks targeted at manufacturing, IT services, consulting, and engineering businesses. Security researchers have observed an increase in Yanluowang campaigns since August.
Based on security researchers’ review of tactics, techniques, and procedures (TTPs), the threat actor behind the Yanluowang attacks appears to be connected to an earlier type of ransomware known as Thieflock, a ransomware-as-a-service (RaaS) operation developed by the Canthroid (also called Fivehands) criminal gang. The former Thieflock affiliate appears to have switched over to the Yanluowang ransomware strain and ramped up attacks, likely in an effort to establish itself in the ransomware market.
TTPs used by the Yanluowang threat actors include:
- Delivery of the BazarLoader malware in the reconnaissance phase.
- Deployment of a specific and legitimate remote access tool.
- Deployment of AdFind to perform lateral movement and identify systems of interest.
- Use of credential-stealing tools, including GrabFF, GrabChrome, and BrowserPassView.
- Use of a specific PowerShell script called KeeThief to copy the master key from KeyPass.
When deployed, the Yanluowang ransomware will stop hypervisor virtual machines operating on the compromised computer, end processes listed in the processes.txt, and encrypt files appending them with the .yanluowang extension. The ransom note delivered by the Yanluowang threat actors instructs victims that the attackers will conduct distributed denial of service (DDoS) attacks against the victim, delete data, and contact employees and business partners if the victim attempts to contact law enforcement or work with a ransomware negotiation firm.
Next Steps
Anti-phishing security solutions, password management, multifactor authentication, and regular software updates and patching of bugs and vulnerabilities can all help reduce the threat of a ransomware attack. Contrary to claims and threats made by ransomware threat actors, victims of ransomware are strongly encouraged to contact law enforcement and work with a professional ransomware investigation and response team.