When you experience a breach, time is crucial. Our 24/7 Security Operations Center responds immediately with precision to eliminate the threat and restore operations.
ShadowSpear® is an unparalleled resource that defends your organizations against advanced cyber threats and attacks 24/7/365.
Your organization has cybersecurity weaknesses and vulnerabilities you don’t yet even know about. They need to be found and found immediately. If you don’t someone else will.
Researchers have discovered a newly developed Yanluowang ransomware variant (named after one of the ten Chinese kings of hell, Yanluo Wang), targeting a high-profile enterprise. Yanluowang ransomware was discovered during an incident involving an unnamed large organization after detecting suspicious activity involving the legitimate AdFind command line Active Directory query tool. Threat actors commonly use AdFind to perform reconnaissance operations including accessing information needed to move throughout their victims’ networks.
The attackers attempted to deploy their ransomware payloads across the breached organization’s systems within days of the researchers discovering the suspicious AdFind tool. Before deploying the Yanluowang ransomware on compromised devices, the threat operators would implement a malicious tool to perform the following actions:
Once the malicious tool is deployed, the Yanluowang ransomware will halt the hypervisor virtual machine, end the precursor tool (including SQL and Veeam) harvesting process and encrypt files using the “.yanluowang” extension. Yanluowang ransomware group would leave a README.txt ransom note on the encrypted system warning victims not to contact law enforcement or ransomware negotiation companies. The README.txt ransom note contained some warnings we’ve seen trending among different threat actors:
“Here’s what you shouldn’t do:
Here’s what you should do right after reading it:
Violating the attacker’s rules will result in threat actors implementing distributed denial of services (DDoS) attacks against the victims and contacting employees and business partners. Additionally, the Yanluowang ransomware threaten to repeat the process in a few weeks and delete the victim’s data, a common strategy used to pressure victims into making ransom payments.
Even though Yanluowang is a newly developed ransomware variant, it is viewed as one of the more potent organizations harming businesses. The Yanluowang ransomware group is utilizing a similar extortion method used by other ransomware groups to pressure victims into paying the ransom. Even though Yanluownag is threatening to delete the victim’s data and implement DDoS (distributed denial of service) if they contact law enforcement, FBI or security companies, it’s still important to contact them. You can’t trust threat actors in any incident, and chances are they will permanently delete your data regardless of whether they are paid the ransom or not. It’s crucial to have a forensics company with incident response capabilities that can assist with your organization’s recovery.
Our certified engineers at SpearTip will work continuously, 24/7/365, at our Security Operations Centers monitoring your networks for any potential threats like those performed by Yanluowan threat actors.
It is beneficial to contact SpearTip for response cases, however, being proactive is a more effective route of protection. The best proactive tool for protecting your company is SpearTip’s ShadowSpear platform. ShadowSpear stops any ransomware threats from infecting your company’s machines and it provides your team with a direct line of communication to our engineers to answer any questions.
If your company is experiencing a breach, call our Security Operations Center at 833.997.7327 to speak directly with an engineer.
Identify, neutralize, and counter cyberattacks - provide confidence in your security posture
24/7 Breach Response: US/CAN: 833.997.7327
Main Office: 800.236.6550
1714 Deer Tracks Trail, Suite 150
St. Louis, MO 63131
©2024 SpearTip, LLC. All rights reserved.