- 188/2022
- High
Yanluowang is a targeted Ransomware for multiple critical infrastructure sectors, including the hardware, information technology, software, and high-tech sectors. Yanluowang was first discovered in mid-October 2021. Yanluowang group uses to publish the data stolen from ransomware victims.
Yanluowang is ransomware that encrypts (and renames) files, ends all running processes, stops services, and creates the “README.txt” file containing a ransom note. It appends the “.yanluowang” extension to filenames.
Security researchers spotted suspicious use of (AdFind), a legitimate command-line Active Directory query tool, on the victim organization’s network. AdFind is often abused by ransomware attackers as a reconnaissance tool, as well as to equip the attackers with the resources that they need for lateral movement via Active Directory.
After the suspicious AdFind activity was observed on the victim organization, the attackers attempted to deploy the Yanluowang ransomware. Then a precursor tool carries out the following actions:
- Creates a .txt file with the number of remote machines to check in the command line.
- Uses Windows Management Instrumentation (WMI) to get a list of processes running on the remote machines listed in the .txt file.
- Logs all the processes and remote machine names to processes.txt.
The Yanluowang ransomware is then deployed and carries out the following actions:
- Stops all hypervisor virtual machines running on the compromised computer.
- Ends processes listed in processes.txt, which includes SQL and back-up solution Veeam.
- Encrypts files on the compromised computer and appends each file with the .yanluowang extension.
- Drops a ransom note named readme.txt on the compromised computer.
It is important to highlight that the samples obtained are code-signed with a digital signature and a valid therefore malware can appear legitimate and non-malicious, allowing it to bypass certain security measures .
Cisco confirmed that the Lapsus$ group breached its corporate network ,Cisco assess high confidence that this attack was conducted by an adversary that has been previously linked to Lapsus$ threat actor that already uses Yanluowang ransomware.
Cisco revealed that the mentioned threat actor could only harvest and steal nonsensitive data from a Box folder linked to a compromised employee’s account with no evidence of Yanluowang ransomware payloads during the attack.
Indicators of Compromise
Indicators of compromise will be shared with EG-FinCIRTs’ constituents.
Mitigations
- Search for existing signs of the indicated IOCs in your environment.
- Block all URL and IP-based IOCs at the organization’s security devices.
- Implement network segmentation such that all machines on your network are not accessible from every other machine.
- If remote access is required, use a VPN with vendor best-practices multi-factor authentication, password audits, precise access control, and actively monitoring remote accesses.
- Users logged into remote access services should have limited privileges for the rest of the corporate network.
- Administrators should adopt multi-factor authentication and use a separate administrative account from their normal operational account.
- Conduct cybersecurity awareness training for End- users.
- Ensure anti-virus software and associated files are up to date.
- Implement application whitelisting, which only allows systems to execute programs known and permitted by the organization’s security policy.
- Backup your data using different backup destinations, including Tape drives.
- Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs for any unusual activity.
- Install updates/patch operating systems, software, and firmware as soon as updates/patches are released.