Enterprises targeted by a new ransomware called Yanluowang

Yanluowang China Ransomware Malware Cybercrime Malware Solutions

A researching team discovered a new and developing ransomware strain dedicated to attacking enterprises entities. 

The malware, called Yanluowang ransomware, is based on the extension it adds to encrypted files on compromised systems. The name ‘Yanluowang’ is derived after the Chinese god Yanluo Wang, one of the ten kings of hell. 

It was discovered that an investigation was conducted involving a high-profile company after detecting a suspicious activity involving the legit AdFind command line Active Directory tool. Ransomware actors primarily utilize AdFind for investigating tasks, including gathering access to information necessary for movement through their target’s networks. 


How does Yanluowang Ransomware works? 

After the researchers spotted the suspicious AdFind usage, the threat actors also attempted to distribute their Yanluowang ransomware payloads in the infiltrated organization’s central system. Before distributing to compromised devices, the ransomware actors deploy a malicious toll designed to execute multiple actions. 

First, it creates a ‘.txt’ file with numerous remote machines to double-check in the command line. 

Second, they use Windows Management Instrumentation to get a master list of processes running on the remote machine listed in the txt file, logging in all procedures and machine names to processes.txt.  

Finally, when Yanluowang is deployed, it will stop hypervisor virtual machines, end all processes gathered by the precursor tool, encrypt files, and attach the “[.]yanluowang” extension. 

After the encryption to the system, Yanluowang also sends a ransom message labeled README.txt that warns its infiltrated target to not get any help to any law enforcing individuals or ask the advice of any ransomware negotiators. Suppose any of these instructions by the attacker is not complied with. In that case, they will conduct denial of service attacks against the target and contact employees and business associates. In addition, the cybercriminals threaten to attack again after a week and delete all the target’s data. 

Although this newly discovered ransomware is underdeveloped, it is still dangerous since ransomware is one of the biggest and severe threats to all organizations around the globe. 

The cybersecurity researchers warn everyone to remain updated in all the advisories given by different firms because the potential of this new ransomware is limitless. 

About the author


Leave a Reply