Tech giant Cisco confirmed that data Yanluowang ransomware gang published on its leak site was stolen during the May cyberattack.
The company earlier said that it had suffered from a cyberattack in May. However, the admission came only after ransomware group Yanluowang published the list of stolen data on its website.
The group started posting the stolen data recently, a common tactic ransomware gangs employ to push victims into paying up.
“On September 11, 2022, the bad actors who previously published a list of file names from this security incident to the dark web, posted the actual contents of the same files to the same location on the dark web. The content of these files match what we already identified and disclosed,” Cisco said in a blog post.
However, the company tried to downplay the effect of the hack, adding that the incident had no impact on Cisco’s business, products, services, customer, or employee information.
New kid on the block
Researchers first discovered the strain of Yanluowang malware targeting enterprises last October. Broadcom’s Symantec Threat Hunter Team got their hands on the malware after discovering an infected device.
The ransomware name Yanluowang refers to Yanluo Wang, a deity in Chinese religion and Taoism. The ominous deity is a judge in the underworld, passing judgment on the dead in their way to reincarnation or hell.
According to Symantec’s blog entry, researchers first spotted a suspicious use of AdFind, a legitimate command-line Active Directory query tool, on the victim’s internal networks.
The tool is a favorite of ransomware groups, as hackers can use it as a reconnaissance tool and equip the attackers with the resources they need for lateral movement.
After that, the ransomware encrypts files on the compromised computer and appends each file with the .yanluowang extension, finally dropping a ransom note named README.txt on the compromised computer.
Like many other ransomware notes, Yanluowang note warns victims not to contact law enforcement or ransomware negotiation firms.
Threat actors threaten that if the rules are broken, they will make a DDoS attack against the victim, simultaneously calling the victims’ employees and business partners.
More from Cybernews:
Subscribe to our newsletter