Yanluowang Ransomware
A new highly targeted attack operation deploying a never-before-seen ransomware threat was uncovered by infosec researchers. The target of the threatening operation has not been disclosed but it is described as a prominent large organization. The threat is named Yanluowang Ransomware after the extension it uses to mark the files it encrypts. It possesses an expanded list of functionalities but according to the findings of the cybersecurity experts, the Yanluowang Ransomware is still in its development stage and could become even more threatening in the future.
Table of Contents
Preparing the Environment
Before the ransomware is delivered to the compromised systems, the attackers exploit the legitimate command-line Active Directory query tool named AdFind. This particular tool is often abused by cybercriminals as a way to move laterally within breached networks.
The next step of the Yanluowang attack is to prepare the environment of the compromised computer. The hackers deploy a specialized tool that performs three main tasks. First, it creates a text file containing the number of remote machines that are to be checked via the command line. Then, it uses the legitimate Window Management Instrumentation (WMI) to obtain a list of all processes running on the systems listed on the text file. Finally, it stores all processes alongside the name of the remote machines in a 'processes.txt' file.
Yanluowang Ransomware’s Functionality
The ransomware threat possesses all the typical harmful functions expected from a threat of this type. It initiates an encryption process that locks the files on the infected system with a strong algorithm. Each locked file will have '.yanluowang' appended to its original name. However, before starting its encryption, the threat performs two preparatory actions. The ransomware threat terminates all hypervisor virtual machines if such is running on the infected computer. It then looks at the 'processes.txt' file and terminates all processes listed there, including SQL and the backup and data protection solution Veeam. The final step performed by the threat is to deliver a ransom with instructions for its victim.
Ransom Note’s Details
The note reveals that the hackers are not satisfied with simply locking the victim's file and extorting money for their potential restoration. If their demands are not met the cybercriminals state that they are ready to launch DDoS (Distributed Denial of Service) attacks against the victim, will start calling employee and business partners of the entity, and finally, will conduct another attack in a couple of weeks to delete all of the victim's data. In addition, the Yanluowang Ransomware note claims that vast amounts of private data have already been collected.
