Enterprise security teams might want to add “Yanluowang” to the long and growing list of ransomware threats they need to watch out for.
Researchers from Symantec say a threat actor who has been mounting targeted attacks against US organizations since at least August recently began to use the new ransomware in its campaigns.
The threat actor was previously linked to attacks involving the use of another ransomware family called Thieflock, available via a ransomware-as-a-service (RaaS) operation called the Canthroid group. The Thieflock affiliate appears to have now switched to the rival Yanluowang ransomware strain and is currently the only attack group using the malware.
Its targets include organizations in the financial services industry and in the manufacturing, IT services, and engineering sectors.
Alan Neville, threat analyst on Symantec’s threat hunter team, says if the authors of Yanluowang are also operating a RaaS, then it’s very likely that other groups will soon begin using the malware as well.
“For us, the main takeaway is that Yanluowang appears to be establishing itself on the cybercrime marketplace and is gaining traction among potential collaborators,” Neville says. “If Yanluowang is here to stay, organizations should familiarize themselves with the TTPs associated with this group and ensure they’re well-placed to defend against them.”
Yanluowang is one among numerous new ransomware variants that have surfaced this year amid continuing law enforcement takedowns of major ransomware operators, such as those behind the REvil and Cl0p variants. Just this week, Red Canary researchers reported observing a threat actor exploiting the ProxyShell set of vulnerabilities in Microsoft Exchange to deploy a new ransomware variant called BlackByte, which others, such as TrustWave’s SpiderLabs, have recently warned about as well.
Many of the new ransomware strains have been used in so-called double-extortion attacks where threat actors have encrypted and stolen sensitive enterprise data, as well as threatened to leak the data to try and extort money from victims.
According to the NCC Group, in October alone some 314 organizations worldwide became victims of double-extortion attacks — a 65% increase over the prior month. Some 35% of the victims of these attacks were organizations in the industrial sector. Among the worst offenders were gangs beyond ransomware families such as Lockbit, Conti, Hive, and Blackmatter
Symantec’s investigation of Yanluowang activity showed the former Thieflock affiliate is using a variety of legitimate and open source tools in its campaign to distribute the ransomware. This has included the use of PowerShell to download a backdoor called BazarLoader for assisting with initial reconnaissance and the subsequent delivery of a legitimate remote access tool called ConnectWise.
To move laterally and identify high-value targets, such as an organization’s Active Directory server, the threat actor has used tools such as SoftPerfect Network Scanner and Adfind, a free tool for querying AD.
“The tool is frequently abused by threat actors to find critical servers within organizations,” Neville says. “The tool can be used to extract information pertaining to machines on the network, user account information, and more.”
Other tools the attacker is using in Yanluowang attacks include several for credential theft, such as GrabFF for dumping passwords from Firefox, a similar tool for Chrome called GrabChrome, and one for Internet Explorer and other browsers called BrowserPassView. Symantec researchers also discovered the former Thieflock affiliate using a PowerShell script called KeeThief to copy the master key from the KeePass open source password manager and other tools to capture data and screen shots from compromised systems.
The threat actor’s abundant use of free and open source tools, some of which have legitimate purposes, are consistent with what other ransomware operators are doing, Neville says.
“Generally, most of these groups follow similar patterns in terms of methods of intrusion, system discovery, lateral movement techniques and deployment,” he says. “The composition of the toolset will differ between groups, but the tactics are often quite similar.”
A Dynamic Year
The relentless ransomware onslaught shows little signs of slowing. Law enforcement crackdowns and better enterprise defenses have forced many ransomware groups to evolve and adapt their strategies, but the attacks themselves have not slowed down dramatically.
Matt Hull, global lead for strategic threat intelligence at the NCC Group, says the ransomware threat landscape has been very dynamic over the past 12 months, partly because of law enforcement activity and partly because of attacks like those on Colonial Pipeline, which garnered a lot of attention.
“We have also seen new players come to the table,” he notes. “But with incidents including the Colonial Pipeline attack and the Kaseya incident, the issue of ransomware has been brought to the forefront of international law enforcement and governments, forcing some ransomware operators to hang up their boots.”
The overall business model used by groups has also changed, he notes. Most groups now “employ the ‘hack-and-leak’ business model sometimes referred to as double extortion, following in the footsteps of the Maze Group, who were doing this as early and far back as 2019,” Hull says.
It’s difficult to say with certainty how successful enterprises have been in hardening themselves against ransomware attacks, Hull says.
“What is clear, however, is that enterprise organizations are truly starting to understand the severity of the ransomware threat,” he says.