Breach Response Hotline, Call 833.997.7327

Contact Us

Breach Response Hotline, Click to Call

Contact Us

Day 11: Yanluowang Ransomware

Common Attack Vectors

  • Remote Desktop Protocol (RDP)

Vulnerabilities Exploited

  • Windows Management Instrumentation (VMI)
  • Active Directory
  • SoftPerfect Network Scanner
  • S3 Browser and Cent Browser
  • ConnectWise

Industries Targeted Frequently

Manufacturing

Threat actors target manufacturing facilities to disrupt product distribution.

Enterprises

Threat actors target enterprises to steal sensitive data, encrypt network files, and demand ransoms.

Finance

Threat actors target financial institutions to steal people's names, financial records, social security numbers, and bank accounts.

Recent Activity

Yanluowang ransomware targeted a high-profile enterprise using AdFind to conduct reconnaissance operations, including moving throughout victims’ networks by accessing information.

Yanluowang ransomware is targeting financial companies in the United States using BazarLoader malware in reconnaissance operations.

Common File Extensions

.yanluowang

Known Aliases

  • Thieflock
  • FiveHands

How Yanluowang Ransomware is Distributed

Yanluowang ransomware first performs a reconnaissance operation using AdFind to access information to move within the victim’s networks. The threat actors implement a malicious tool to create a .txt file with the remote machines to check in the command line, gather a list of processes running on remote machines using Windows Management Instrumentation (WMI), and log the processes and remote machine names to processes.txt. After the malicious tool is deployed, the Yanluowang ransomware will stop the hyper virtual machine ending the precursor tool (including SQL and Veeam) harvesting process and use the “.yanluowang” extension to encrypt the files. The group then leaves a ransom note marked README.txt on the encrypted system warning victims not to contact ransomware negotiation companies or law enforcement. If the victims break the rules, the threat actors implement a Distributed Denial-of-Service (DDoS) attack against them and contact the employees and business partners.

ShadowSpear

SpearTip’s ShadowSpear platform defends your environment with unparalleled resources preventing cybersecurity threats and attacks from affecting your business. ShadowSpear integrates with cloud, network and endpoint devices providing security. ShadowSpear prevents ransomware from exploiting memory, stopping the threat before the full attack cycle. The ShadowSpear Platform is backed by the engineers in our 24/7 Security Operations Centers, ready to assist partners with security issues immediately.

24/7 Breach Response: US/CAN: 833.997.7327

Main Office: 800.236.6550

Email Us

1714 Deer Tracks Trail, Suite 150

St. Louis, MO 63131

Navigation

Connect With Us

Twitter Linkedin Facebook

©2024 SpearTip, LLC. All rights reserved.