Broadcom Software’s Symantec Threat Hunter Team discovers first-of-its-kind ransomware

The brand new ransomware household, known as Yanluowang, seems to nonetheless be beneath improvement and lacks some subtle options present in related code. Nonetheless, Symantec stated, it is harmful.


kaptnali, Getty Pictures/iStockphoto

The Symantec Menace Hunter Group at Broadcom Software program has found what seems to be a model new household of ransomware named after the Chinese language deity that judges the souls of the useless.

Yanluowang is the proper ransomware for the Halloween season, although this explicit malevolent digital spirit lacks the subtlety and class of a few of its extra established (and extra terrifying) brethren.

The dearth of subtle options (and its unknownness) clued researchers into the truth that Yanluowang was possible new, moderately than simply poorly coded. “It is doable that implementing this was past the flexibility of the builders, however we predict it is extra possible that they plan to implement it at a later date and this was a minimal viable product,” stated Symantec principal editor Dick O’Brien. 

SEE: Tips on how to handle passwords: Finest practices and safety suggestions (free PDF) (TechRepublic)

It is unknown the place Yanluowang got here from, who’s behind it or if it has been utilized in any assaults aside from the one which Symantec responded to in opposition to an unnamed “giant group.” Among the many recordsdata it obtained was code that Symantec stated appeared to return from an underdeveloped ransomware household, they usually had been clued in by some suspicious use of the Energetic Listing question device AdFind.

“This device is commonly abused by ransomware attackers as a reconnaissance device, in addition to to equip the attackers with the sources that they want for lateral motion through Energetic Listing. Simply days after the suspicious AdFind exercise was noticed on the sufferer group, the attackers tried to deploy the Yanluowang ransomware,” Symantec’s report stated.

Yanluowang additionally leaves a couple of indicators behind on a compromised pc earlier than it really deploys the ransomware itself: a .txt file with the variety of distant machines on the community is created, which is run in opposition to Home windows Administration Instrumentation to get a listing of processes operating on these machines, that are in flip logged to the .txt file for later retrieval. 

As soon as put in, the Yanluowang ransomware itself stops all hypervisor VMS operating on a compromised machine, ends processes listed within the .txt file, encrypts recordsdata and drops a readme with a ransom word in it on the contaminated machine. 

The word itself warns victims to not name legislation enforcement or a negotiator, the results of which might be DDoS assaults in opposition to the sufferer and calls to enterprise companions to tell them of the an infection. That chain of occasions would repeat, with knowledge deletion being the eventual final result. 

O’Brien stated that, whereas new, no factor of the Yanluowang ransomware is exclusive. That does not imply Yanluowang is not a menace, although. “[Yanluowang] will not be as subtle as a few of its friends, however a profitable assault would nonetheless be extremely disruptive to any group,” O’Brien stated. 

SEE: Safety incident response coverage (TechRepublic Premium)

Ransomware is not an issue set to go away anytime quickly. If something, it’s going to solely worsen as ransomware actors develop into higher at writing code and exploiting vulnerabilities. Ensure your group is following finest practices for ransomware, like utilizing
zero-trust safety

and different next-generation safety merchandise and architectures.

Additionally see

Recent Articles


Related Stories

Leave A Reply

Please enter your comment!
Please enter your name here

Stay on op - Ge the daily news in your inbox