Cyber criminals are using a new ransomware dubbed Yanluowang to encrypt a target network’s files. This ransomware is so named because it places an extension of “yanluowang” on the files it encrypts. In addition to the usual demand for money in exchange for decrypting the files, this latest ransomware also threatens to launch additional attacks against the victim organization, and harass its employees and business partners if the ransom isn’t paid.
Security analysts from Symantec discovered Yanluowang while they were investigating an attempted cyberattack against an undisclosed organization. This particular attack wasn’t successful, but the investigation did identify details of the ransomware. For example, the threat of additional attacks is a new feature intended to increase the likelihood that the victim will pay the ransom.
Once Yanluowang encrypts the target files, it sends a message to the victims informing them they’ve been infected by the ransomware and provides a contact address for negotiating the ransom payment. It also tells victims not to contact law enforcement agencies or cybersecurity companies, implying they won’t get their data back if they do. This technique is fairly standard for ransomware, but Yanluowang goes further by threatening a distributed denial of service (DDoS) attack in an attempt to crash the website. It also threatens to delete the encrypted data if the victim fails to cooperate. It’s too early to tell if these attackers will carry out their threat, but other ransomware actors certainly seem to be threatened by the possibility of victims sharing information about the attack with law enforcement or other third parties.
Attack Details
The specific method that Yanluowang used to access the victim’s network is still unclear. However, researchers know that it involved the use of AdFind, which is a command line interface (CLI) command in Active Directory. Ransomware attackers often use this query tool to identify ways of navigating the network, generally for the purpose of deploying the ransomware. In this case, the attackers tried to do so several days after investigators detected the suspicious AdFind activity. As a result, the attack failed because investigators had already blocked the attack vector.
Prevention
This is the first known attack by Yanluowang, so it’s still a work in progress. Attackers could therefore learn from this failed attempt and make the ransomware more effective in the future. In the meantime, there are a number of steps that organizations can take to protect themselves from ransomware.
In general, they should adopt a deep defense strategy that uses multiple methods of detection and protection, helping to mitigate the risk of each vulnerability in a potential attack vector. For example, organizations should only allow Remote Desktop Protocol (RDP) from known IP addresses. They should also implement controls and audits of their administrative accounts to ensure they aren’t being used inappropriately.
Additional actions that organizations can take to protect themselves from cyberattacks include applying the latest security patches as they become available. This strategy helps prevent attackers from exploiting newly discovered vulnerabilities, which tend to be highly attractive attack vectors. Organizations should also implement multi-factor authentication (MFA), making it more difficult to exploit compromised usernames and passwords.
Ransomware Yellow flickr photo by Infosec Images shared under a Creative Commons (BY) license