Malicious actors use a new, albeit underdeveloped, strain of malware to target enterprises, Broadcom's Symantec Threat Hunter Team, announced.
The researchers claim they've got access to a trove of malicious files after an extortion attack against an unnamed large organization. The investigation led the team to believe that the files belonged to an entirely new ransomware family.
The ransomware name Yanluowang refers to Yanluo Wang, a deity in Chinese religion and Taoism. The ominous deity is a judge in the underworld, passing judgment on the dead in their way to reincarnation or hell.
According to Symantec's blog entry, researchers first spotted a suspicious use of AdFind, a legitimate command-line Active Directory query tool on the victim's internal networks.
The tool is a favorite of ransomware groups, as hackers can use it as a reconnaissance tool and equip the attackers with the resources they need for lateral movement.
Few days after the discovery was made, the attackers attempted to deploy the ransomware. According to the researchers, before Yanluowang is deployed, a precursor tool creates a .txt file for the number of remote machines to check in the command line.
The tool also uses the Windows Management Instrumentation (WMI) to get a list of processes running on the remote machines listed in the .txt file and logs all the processes and remote machine names to processes.txt.
Once these steps are completed, the attackers deploy the ransomware, which in turn stops all hypervisor virtual machines running on the compromised computer; ends processes listed in processes.txt, which includes SQL and back-up solution Veeam.
After that, the ransomware encrypts files on the compromised computer and appends each file with the .yanluowang extension, finally dropping a ransom note named README.txt on the compromised computer.
Much like many other ransomware notes, Yanluowang note warns victims not to contact law enforcement or ransomware negotiation firms.
Threat actors threaten that if the rules are broken, they will make a DDoS attack against the victim, simultaneously calling the victims' employees and business partners.
Year in turmoil
Cyberattacks are increasing in scale, sophistication, and scope. In 2020, ransomware payments reached over $400 million, more than four times the level of 2019. This year will likely set another record benchmark for ransomware cartels globally.
The last 12 months were ripe with major high-profile cyberattacks on network management companies such as SolarWinds, the Colonial Pipeline's oil network, meat processing company JBS, and software firm Kaseya. Pundits talk of a ransomware gold rush, with the number of attack increasing over 90% in the first half of 2021 alone.
Recently, a Russia-linked cyber cartel attacked a major US farm service provider New Cooperative Inc., demanding $5.9 million in ransom. Meanwhile, ransomware recently dubbed Ranion offered an entirely different payment structure. The group only asks for an upfront payment for its malware without additional service fees.
A recent IBM report shows that an average data breach costs victims $4.24 million per incident, the highest in the 17 years. For example, the average cost stood at $3.86 million per incident last year, putting recent results at a 10% increase.
More from CyberNews
Subscribe yo out newsletter