Researchers have discovered a newly developed ransomware variant called Yanluowang (named after one of the ten Chinese kings of hell, Yanluo Wang), targeting a high-profile enterprise. Yanluowang ransomware was discovered during an incident involving an unnamed large organization after detecting suspicious activity involving the legitimate AdFind command line Active Directory query tool. Threat actors commonly use AdFind to perform reconnaissance operations including accessing information needed to move throughout their victims’ networks.
The attackers attempted to deploy their ransomware payloads across the breached organization’s systems within days of the researchers discovering the suspicious AdFind tool. Before deploying the ransomware on compromised devices, the threat operators would implement a malicious tool to perform the following actions:
- Creates a .txt file with the number of remote machines to check in the command line
- Uses Windows Management Instrumentation (WMI) to get a list of processes running on the remote machines listed in the .txt file
- Logs all the processes and remote machine names to processes.txt
Once the malicious tool is deployed, the ransomware will halt the hypervisor virtual machine, end the precursor tool (including SQL and Veeam) harvesting process and encrypt files using the “.yanluowang” extension. Yanluowang group would leave a README.txt ransom note on the encrypted system warning victims not to contact law enforcement or ransomware negotiation companies. The README.txt ransom note contained some warnings we’ve seen trending among different threat actors:
“Here’s what you shouldn’t do:
- Contact the police, FBI or other authorities before the end of our deal.
- Contact the recovery company so that they conduct dialogues with us. (This can slow down the recovery, and generally put our communication to nought)
- Do not try to decrypt the files yourself, as well as do not change the file extension yourself!!! This can lead to the impossibility of their decryption.
- Keep us for fools. We will also stop any communication with you, and continue DDoS, calls to employees and business partners. In a few weeks, we will simply repeat our attack and delete all your data from your networks, WHICH WILL LEAD TO THEIR UNAVAILABILITY!
Here’s what you should do right after reading it:
- If you are an ordinary employee, send our message to the CEO of the company, as well as to the IT department
- If you are a CEO, or a specialist in the IT department, or another person who has weight in the company, you should contact us within 24 hours by email. We are ready to confirm all our intentions regarding DDOS, calls, and the deletion of the date at your first request. As a guarantee that we can decrypt the files, we suggest that you send several files for free decryption. Mails to contact us:”
Violating the attacker’s rules will result in threat actors implementing distributed denial of services (DDoS) attacks against the victims and contacting the employees and business partners. Additionally, they threaten to repeat the process in a few weeks and delete the victim’s data, a common strategy used to pressure victims into making ransom payments.
Even though Yanluowang is a newly developed ransomware variant, it is viewed as one of the more potent organizations harming businesses. This ransomware group is utilizing a similar extortion method used by other ransomware groups to pressure victims into paying the ransom. Even though Yanluownag is threatening to delete the victim’s data and implement DDoS (distributed denial of service) if they contact law enforcement, FBI or security companies, it’s still important to contact them. You can’t trust threat actors in any incident, and chances are they will permanently delete your data regardless of if they are paid the ransom or not. It’s crucial to have a forensics company with incident response capabilities that can assist with your organization’s recovery.
Our certified engineers at SpearTip will work continuously, 24/7/365, at our Security Operations Centers monitoring your networks for any potential threats likes those performed by Yanluowan threat actors.
It is beneficial to contact SpearTip for response cases, however, being proactive is a more effective route of protection. The best proactive tool in protecting your company is SpearTip’s ShadowSpear platform. ShadowSpear stops any ransomware threats from infecting your company’s machines and it provides your team with a direct line of communication to our engineers to answer any questions.
If your company is experiencing a breach, call our Security Operations Center at 833.997.7327 to speak directly with an engineer.