According to Broadcom’s Symantec Threat Hunter Team, a new and still-in-development ransomware strain is being employed in targeted attacks against business groups.
Yanluowang ransomware (named after a Chinese god Yanluo Wang, one of the ten kings of the hell) is based on the extension it adds to encrypted files on infected systems.
Symantec has discovered the activity while investigating an issue involving a high-profile business, and after identifying suspicious behavior with the lawful AdFind command line Active Directory query tool.
Ransomware operators frequently use AdFind for reconnaissance purposes, such as getting access to information essential for lateral movement via their victims’ networks.
The attackers attempted to spread their Yanluowang ransomware payloads throughout the compromised organization’s systems days after the researchers discovered the suspicious AdFind use.
Before deploying ransomware on infected computers, the attackers run a malicious program that performs the following tasks:
- Creates a .txt file with the number of remote machines to check in the command line.
- Gets a list of processes operating on the remote computers mentioned in the.txt file using Windows Management Instrumentation (WMI).
- Logs all the processes and remote machine names to processes.txt
Once installed, Yanluowang will disable hypervisor virtual machines, terminate all processes collected by the predecessor program (including SQL and Veeam), encrypt data, and attach the .yanluowang extension.
Yanluowang also leaves a ransom letter titled README.txt on infected devices, warning victims not to contact law authorities or seek aid from ransomware negotiating services.
According to the Broadcom researchers, the ransomware operators claim that if the attackers’ criteria are breached, they will launch distributed denial of service (DDoS) attacks against the victim and make “calls to workers and business partners.”
“The hackers also threaten to repeat the strike “in a few weeks” and destroy the victim’s data.” It is a common strategy employed by ransomware groups to get victims to pay the ransom.
The Symantec Threat Hunter Team’s report includes indicators of compromise, along with malware hashes.
Even if in development, Yanluowang is still harmful malware. Ransomware is one of the most severe dangers that organizations face throughout the world.