The Yanluowang Ransomware
A new ransomware strain that is still under development is being utilized in targeted attacks against corporate organizations. Known as Yanluowang ransomware because to the extension it adds to encrypted files on infected computers, the virus is named after a Chinese god named Yanluo Wang, one of the Ten Kings of Hell.
What led to the discovery of the malware is an investigation into a high-profile organization’s incident that revealed unusual behavior using the legitimate AdFind command line Active Directory query tool.
It is known that ransomware operators often use AdFind for reconnaissance purposes, such as obtaining access to information necessary for lateral movement inside the networks of their victims. Therefore, after the researchers from Broadcom’s Symantec Threat Hunter Team spotted the unusual usage of AdFind, they knew that something was wrong. The next move of the attackers was to try to spread their Yanluowang ransomware payloads throughout the compromised organization’s systems.
The threat actors launched a malicious application before deploying the ransomware on the infected computers. The role of this malicious application was to perform the following tasks:
- Create a .txt file listing the remote computers to be checked in the command line.
- Get a list of processes operating on the remote computers specified in the.txt file using Windows Management Instrumentation (WMI).
- Keep track of all running processes and their remote machine names to a file named processes.txt.
Victims have been advised not to seek assistance.
The report reveals that after Yanluowang was installed in the compromised system, it halted hypervisor virtual machines, as well as SQL and Veeam harvesting activities, encrypted files and added a.yanluowang extension to each of them.
It also created a ransom note called README.txt on encrypted systems, warning victims not to contact authorities or seek for assistance from ransomware negotiating companies.
According to the information that has been revealed, if the attackers’ guidelines are violated, they threaten to perform DDoS attacks and initiate calls to workers and business partners of the victim, as well as delete all the encrypted data to get its victim to pay the ransom.
Ransomware is still a major threat to businesses all over the globe. Therefore, even though Yanluowang is still under development, this is a very hazardous malware that should not be underestimated. Businesses and users who want to protect themselves should strictly follow the best security practices, update their systems to the latest versions and use reliable data backup solutions.