‘Underdeveloped’ New Ransomware Yanluowang Identified
A Symantec cybersecurity team at Broadcom Inc. is warning of a
recently discovered ransomware family
that’s already been seen in the wild.
The attack variant, called Yanluowang after the .yanluowang extension it puts on encrypted files, deploys using the legitimate AdFind Active Directory query tool. The security team said that while the attack agent is already being deployed, it appears to still be a work in progress.
“In a recent attempted ransomware attack against a large organization, Symantec obtained a number of malicious files that, upon further investigation, revealed the threat to be a new, if somewhat underdeveloped, ransomware family,” said the Symantec Threat Hunter Team in a post identifying the variant.
How the attack works is the AdFind tool is injected in a targeted network as reconnaissance and as a way to identify avenues to move freely through a system via Active Directory. Once deployed, the tool creates a .txt file with the remote machine addresses, uses Windows Management Instrumentation to get a list of running processes and then reports back in a new .txt file.
The Symantec researchers said that a few days after they noticed the AdFind activity, the Yanluowang ransomware was then deployed on the targeted system. Once deployed, it carries out the following actions:
- Kills any hypervisor virtual machines on the targeted system.
- Stops processes in process.txt (which includes SQL, Veeam and other backup services).
- Encrypts files on the compromised machine and adds the .yanluowang extension to each file.
- Uploads a .txt file on the targeted system with the ransom note.
The uploaded note gives explicit instructions on how the victim can unlock the encrypted files. Per the Symantec Threat Hunter Team post:
The ransom note dropped by Yanluowang warns victims not to contact law enforcement or ransomware negotiation firms. If the attackers’ rules are broken the ransomware operators say they will conduct distributed denial of service (DDoS) attacks against the victim, as well as make ‘calls to employees and business partners.’ The criminals also threaten to repeat the attack ‘in a few weeks’ and delete the victim’s data.
So far the research team hasn’t identified how the infection initially occurred or if a major ransomware group is currently behind the new variant.
This is just the latest in a trend of growing ransomware families and increased attacks. According to a recent Google study, at least 130 different ransomware families were active between 2020 and now, increasing the burden placed on IT to keep enterprise networks safe.