[MART] - Daily Diary #402 - Yanluowang, Another New Ransomware Threat

CTAS-MAT ctas-mat at appgate.com
Wed Dec 1 17:59:57 UTC 2021


I hope everyone is doing well!

Below is the entry for today.

12/01/2021 - Diary entry #402:

Discovered in October 2021, Yanluowang is a ransomware threat targeting U.S. corporations from the financial, manufacturing, IT services, consultancy, and engineering sectors since at least August 2021. Yanluowang TTPs could be linked to the Thieflock ransomware operations, suggesting that they may have been a Thieflock affiliate.

As soon as they gain initial access to the systems, Yanluowang operators use PowerShell to download tools like ConnectWise (remote access tool), AdFinder (Active Directory query tool), and other malware tools like BazarLoader and CobaltStrike. All of them are used for reconnaissance and lateral movement. Next, they use tools to exfiltrate credentials from browsers and other sources.

After deploying Yanluowang ransomware, it stops all hypervisor virtual machines running on the compromised computer, terminates processes like database backup solutions, and encrypts files appending ".yanluowang" extension to them. Finally, a ransom note named README.txt is dropped.

Curiously, the ransom note warns victims to not contact law enforcement or negotiation firms, threatening to repeat the attack and to conduct distributed denial of service (DDoS) attacks against the victim, deleting their data, and contacting business partners and employees. This is a very clear impact from the recent international effort into fighting Ransomware. Those gangs are becoming stealthier and trying to get less attention from media and Law Enforcement as possible, to avoid having their operations disrupted.

Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>

Felipe Tarijon de Almeida
Malware Analyst

E: felipe.tarijon at appgate.com<mailto:felipe.tarijon at appgate.com>
O: +55 11 97467 9549

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20211201/f6a5c5e9/attachment.htm>

More information about the MART mailing list