Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

New Yanluowang ransomware used in highly targeted attacks on large orgs

Researchers spotted a new strain of ransomware, dubbed Yanluowang, that was used in highly targeted attacks against enterprises. Researchers from Symantec Threat Hunter Team discovered a ransomware family, tracked as Yanluowang ransomware that was used in highly targeted attacks against large enterprises. The discovery is part of an investigation into a recent attempted ransomware attack […]

Yanluowang ransom note

Researchers spotted a new strain of ransomware, dubbed Yanluowang, that was used in highly targeted attacks against enterprises.

Researchers from Symantec Threat Hunter Team discovered a ransomware family, tracked as Yanluowang ransomware that was used in highly targeted attacks against large enterprises.

The discovery is part of an investigation into a recent attempted ransomware attack against a large organization.

“The Threat Hunter Team first spotted suspicious use of AdFind, a legitimate command-line Active Directory query tool, on the victim organization’s network. This tool is often abused by ransomware attackers as a reconnaissance tool, as well as to equip the attackers with the resources that they need for lateral movement via Active Directory.” reads the analysis published by Symantec. “Just days after the suspicious AdFind activity was observed on the victim organization, the attackers attempted to deploy the Yanluowang ransomware.”

The researchers noticed the use of the legitimate AdFind command line Active Directory query tool that is often abused by ransomware operators as a reconnaissance tool.

Before being deployed on compromised devices, the attackers launch a malicious tool designed to prepare the environment with the following actions:

  • Creates a .txt file with the number of remote machines to check in the command line
  • Uses Windows Management Instrumentation (WMI) to get a list of processes running on the remote machines listed in the .txt file
  • Logs all the processes and remote machine names to processes.txt

The analysis of the samples collected by the experts revealed that the Yanluowang ransomware uses the Windows API for encryption.

Upon deploying the Yanluowang ransomware, it will stop hypervisor virtual machines, end all processes logged by the above tool (including SQL and back-up solution Veeam), then it will encrypt files. The ransomware appends the .yanluowang extension to the filenames of the encrypted files.

The ransom note (README.txt) dropped on the infected machine warns the victims not to contact law enforcement or ask ransomware negotiation firms for help. The ransomware operators will launch distributed denial of service (DDoS) attacks against the victim if it will not respect their rules. The ransomware operators also threaten to make calls to employees and business partners to damage the brand reputation of the victims, along with targeting again the victim in a few weeks and delete its data.

Yanluowang ransom note
Yanluowang ransom note: Source Symantec Threat Hunter Team

The report published by Symantec also includes Indicators of compromise (IoCs).

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, cyber security)

[adrotate banner=”5″]

[adrotate banner=”13″]