Yanluowang (named after one of the ten Chinese rulers of hell, Yanluo Wang), is a newly created ransomware strain, that has been identified attacking a high-profile company.
Upon identifying unusual behavior utilizing the legal AdFind command line Active Directory query tool, the Yanluowang ransomware was detected during an event involving an undisclosed big business. Malicious actors frequently utilize AdFind to conduct reconnaissance activities, such as gaining access to information needed to travel across their victims' networks.
The latest strain was found by Broadcom's Symantec's threat hunter team, and at first look, it sticks out due to its unusual nickname, which is derived from the name of a Chinese deity: Yanluo Wang.
He was Death's God and Diyu's Fifth Court Ruler in Chinese mythology (Diyu being depicted as the Chinese hell). The detection of this specific name appears to be connected to the extension it employs for file encryption on afflicted computers.
Within days of the investigators finding the suspicious AdFind tool, the attackers tried to distribute their ransomware payloads throughout the compromised organization's networks. Before spreading ransomware on compromised computers, threat actors would use a malicious program to do the following: Create a .txt document with the number of remote computers to be checked on the command line. Use Windows Management Instrumentation (WMI) to obtain a list of processes operating on the remote computers mentioned in the .txt file, and lastly log all of the processes and remote machine names to processes.txt.
And once the infected application is installed, the ransomware will suspend the hypervisor virtual machine, terminate the precursor tool harvesting process (including SQL and Veeam), and encrypt files with the ".yanluowang" extension.
On the compromised machine, the Yanluowang gang typically leaves a README.txt ransom note advising victims not to approach law authorities or ransomware negotiation firms.
Violations of the attacker's regulations will lead to threat actors launching distributed denial of service (DDoS) attacks against the targets and contacting workers and business partners. They also threaten to replicate the procedure in a few weeks and erase the victim's data, which is a typical tactic used to coerce victims into paying ransoms.
