The Yanluowang gang claimed to have launched a ransomware assault against American store Walmart, although Walmart has disputed this. Walmart maintains that its “Information Security team is monitoring our systems 24/7” and that they consider the accusations of being untrue.
“We believe this claim is inaccurate and are not aware of a successful attack in this regard on our devices,” said a Walmart spokesperson.
In a post on their data leak website on Monday, the relatively new Yanluowang ransomware operation claimed they had broken into the shop and had locked between 40,000 and 50,000 devices. According to the data leak site, they offered to help and encrypt roughly 40-50k Walmart systems, but they chose to go a different path. Therefore, here they are publishing.
The ransomware group went on to say that they had carried out the attack over a month earlier and had succeeded in encrypting devices but not stealing any data. They claim that as part of this attack, they requested a $55 million ransom from Walmart but never got a response. Several files that purport to contain information obtained during the attack from Walmart’s Windows domain are included in the entry on the data leak website.
A security certificate, a list of domain users, and the results of a kerberoasting attack are among the material in these files that Walmart claims to have stolen from its internal network, even though it denies an attack was successful. Threat actors employ kerberoasting to get Windows services accounts and their hashed NTLM passwords once they have gained access to a network.
The plain-text passwords that may be used to raise access on the Windows domain are then extracted from these hashed passwords using brute force. The validity of the stolen Windows domain data has not been determined. However, an email with further questions has been set to Walmart.