Yanluowang Ransomware, new Gang Targets Businesses
Cybersecurity experts have identified a new ransomware gang, which appears to go under the name Yanluowang. Their product, the so-called Yanluowang Ransomware, is being deployed through a multi-stage attack process. The criminals are using the public AdFind utility to gather intel about the Active Directory settings and configuration on the victim's network. They are also using custom malware to gather data about running processes and accessible systems in order to prepare for the final stage of their attack – deploying the Yanluowang Ransomware.
What do Yanluowang Ransomware's Preparations Lead to?
Typically, ransomware attacks aim to lock important data, including databases and backups. However, if a file is in use by another software, the file-locker might be unable to access its contents. This is why the Yanluowang Ransomware checks the processes.txt file that contains information about running processes, and then terminates them. This ensures that it will be able to easily lock databases and backups.
After the infection is successful, it encrypts files and uses the '.yanluowang' extension to tag their names. It then creates the 'README.txt' ransom document. The criminals advise the victim not to contact law enforcement, and to not try to remove the threat. They claim to have stolen a lot of data from the infected systems, and threaten to publish it online unless their requirements are met.
The criminals provide custom emails for each victim, and they are likely to demand a ransom payment through cryptocurrency. So far, there is no information about victims who agreed to pay the Yanluowang Ransomware creators. There is no guarantee that paying them will get your files back, or prevent them from leaking files online. Recovering from ransomware attacks is never easy, and prevention is always the best course of action. Using proper security measures and antivirus software can protect your system and network from the Yanluowang Ransomware infiltration.