A hacker earlier linked with the Thieflock ransomware campaign, currently might be using the rising Yanluowang ransomware in a chain of attacks against U.S organizations. Symantec cybersecurity experts, a subdivision of Broadcom software, discovered links between Yanluowang and Thieflock, details of the former were revealed in October after experts found its use against a big firm. They believe that a hacker has been using this ransomware to attack financial organizations in the U.S. The threat actor also compromised various firms in the manufacturing sector, engineering, consultancy, and IT services, using the novel ransomware.
Experts noticed a probable link between new Yanluowang attacks and earlier attacks which involved Thieflock, a RaaS (ransomware as a service), built by the Canthroid group, aka Fivehands. This shows how there's no loyalty in ransomware users, especially those who work as affiliates of RaaS operations.
As per ThreatPost, "Data-capture tools are also part of the attack vector, including a screen capture tool and a file exfiltration tool (filegrab.exe), as well as Cobalt Strike Beacon, which researchers saw deployed against at least one target."
The ransomware developers pivot here and there, they switch business based on profit margins offered by ransomware threat actors, there's no loyalty in the business, says Vikram Thakur, chief research manager at Symantec. The experts have given a summary of some of the tools used in these attacks (Yanluowang), a few of these share some commonalities with the
Thieflock attacks, which may lead someone to believe that the actor orchestrating the attack is an expert with Thieflock's deployment. "In most scenarios, attackers use PowerShell to download tools to compromised systems, including BazarLoader, which assists in reconnaissance of a system before attacks occur. The attackers then enable RDP via registry to enable remote access, deploying the legitimate remote access tool ConnectWise, formerly known as ScreenConnect, once they’ve gained this access," said ThreatPost.
