A new ransomware family appears to be making the rounds. Symantec, a division of Broadcom Software, says it’s found evidence of the Yanluowang ransomware being used against US companies since at least August.
Symantec revealed the Yanluowang ransomware family in October after it was used against “a large organization.” Now it says Yanluowang’s operators “have been heavily focused on organizations in the financial sector but have also targeted companies in the manufacturing, IT services, consultancy, and engineering sectors.”
The company also says that Yanluowang attacks rely on similar tactics, techniques, and procedures to attacks conducted with the Thieflock ransomware-as-a-service. It suspects that attacks involving Yanluowang are being conducted by a former affiliate of Thieflock based on these similarities between attacks involving both families:
- Use of custom password recovery tools such as GrabFF and other open-source password dumping tools
- Use of open-source network scanning tools (SoftPerfect Network Scanner)
- Use of free browsers, such as s3browser and Cent browser
These similarities don’t necessarily prove that Yanluowang and Thieflock are being used by the same threat actor, however, and Symantec says the link between the two is “tentative.” Mandiant principal threat analyst Tyler McLellan, who co-authored a report on the groupbelieved to be responsible for Thieflock in April, tweeted:
Interesting link, but FOXGRABBER (grabff) first observed used by UNC2447 during FIVEHANDS ransomware ops seems to be getting shared around, even UNC2628 (DARKSIDE affiliate) used it as well. NETSCAN is usually the same pirated license keys floating around. https://t.co/KTtkGYvSB9
— Tyler McLellan (@tylabs) November 30, 2021
Symantec says that Yanluowang attacks typically involve an initial reconnaissance phase followed by credential harvesting, data exfiltration, and finally the encryption of the victim’s files. The report from October says the ransom note also includes a threat of distributed denial-of-service attacks and “calls to employees and business partners.”
By Nathaniel Mott