New “Yanluowang” Ransomware Variant Discovered

New “Yanluowang” Ransomware Variant Discovered

Security researchers are warning of a newly discovered ransomware variant currently being used in targeted attacks.

360 Mobile Vision - 360mobilevision.com North & South Carolina Security products and Systems Installations for Commercial and Residential - $55 Hourly Rate. ACCESS CONTROL, INTRUSION ALARM, ACCESS CONTROLLED GATES, INTERCOMS AND CCTV INSTALL OR REPAIR 360 Mobile Vision - 360mobilevision.com is committed to excellence in every aspect of our business. We uphold a standard of integrity bound by fairness, honesty and personal responsibility. Our distinction is the quality of service we bring to our customers. Accurate knowledge of our trade combined with ability is what makes us true professionals. Above all, we are watchful of our customers interests, and make their concerns the basis of our business.

Dubbed “Yanluowang” after the .yanluowang extension it adds to encrypted files, the new ransomware was discovered by Symantec during its investigation into an attack against an unnamed “large organization.”

It appears that the group using the variant first deployed legitimate command-line Active Directory query tool AdFind for reconnaissance and to help with lateral movement.

Before Yanluowang is downloaded, an additional tool creates a .txt file with the number of remote machines to check in the command line and uses WMI to get a list of processes running on these machines.

It also logs all the processes and remote machine names, Symantec said.

Then, following deployment, the malware stops all hypervisor machines running on the targeted machine, ends the processes listed in the .txt file, encrypts the files and drops a ransom note named README.txt.

The note purpotedly warns victims not to contact the police or any specialized ransomware negotiation firms.

“If the attackers’ rules are broken the ransomware operators say they will conduct distributed denial of service (DDoS) attacks against the victim, as well as make ‘calls to employees and business partners.’ The criminals also threaten to repeat the attack ‘in a few weeks’ and delete the victim’s data,” Symantec revealed in a blog post.

“While the Yanluowang ransomware appears to be still under development it should by no means be underestimated. Targeted ransomware is one of the biggest cyber-threats faced by organizations today and, as such, all new ransomware threats should be taken equally seriously.”

The volume of ransomware attacks surged by 288% between the first and second quarters of 2021, according to the most recent data from the NCC Group.

Yanluowang refers to a Chinese deity linked to the underworld, although Symantec had no confirmation about the origin of the threat group.

By admin