Broadcom Software’s Symantec Threat Hunter Team discovers first-of-its-kind ransomware

The new ransomware family, called Yanluowang, appears to still be under development and lacks some sophisticated features found in similar code. Nonetheless, Symantec said, it’s dangerous.

istock-645374756.jpg

kaptnali, Getty Images/iStockphoto

The Symantec Threat Hunter Team at Broadcom Software has discovered what appears to be a brand new family of ransomware named after the Chinese deity that judges the souls of the dead.

More about cybersecurity

Yanluowang is the perfect ransomware for the Halloween season, though this particular malevolent digital spirit lacks the subtlety and sophistication of some of its more established (and more terrifying) brethren.

The lack of sophisticated features (and its unknownness) clued researchers into the fact that Yanluowang was likely new, rather than just poorly coded. “It’s possible that implementing this was beyond the ability of the developers, but we think it’s more likely that they plan to implement it at a later date and this was a minimum viable product,” said Symantec principal editor Dick O’Brien. 

SEE: How to manage passwords: Best practices and security tips (free PDF) (TechRepublic)

It’s unknown where Yanluowang came from, who’s behind it or if it has been used in any attacks other than the one that Symantec responded to against an unnamed “large organization.” Among the files it obtained was code that Symantec said seemed to come from an underdeveloped ransomware family, and they were clued in by some suspicious use of the Active Directory query tool AdFind.

“This tool is often abused by ransomware attackers as a reconnaissance tool, as well as to equip the attackers with the resources that they need for lateral movement via Active Directory. Just days after the suspicious AdFind activity was observed on the victim organization, the attackers attempted to deploy the Yanluowang ransomware,” Symantec’s report said.

Yanluowang also leaves a few signs behind on a compromised computer before it actually deploys the ransomware itself: a .txt file with the number of remote machines on the network is created, which is run against Windows Management Instrumentation to get a list of processes running on those machines, which are in turn logged to the .txt file for later retrieval. 

Once installed, the Yanluowang ransomware itself stops all hypervisor VMS running on a compromised machine, ends processes listed in the .txt file, encrypts files and drops a readme with a ransom note in it on the infected machine. 

The note itself warns victims not to call law enforcement or a negotiator, the result of which would be DDoS attacks against the victim and calls to business partners to inform them of the infection. That chain of events would repeat, with data deletion being the eventual outcome. 

O’Brien said that, while new, no element of the Yanluowang ransomware is unique. That doesn’t mean Yanluowang isn’t a threat, though. “[Yanluowang] may not be as sophisticated as some of its peers, but a successful attack would nevertheless be highly disruptive to any organization,” O’Brien said. 

SEE: Security incident response policy (TechRepublic Premium)

Ransomware isn’t a problem set to go away anytime soon. If anything, it’ll only get worse as ransomware actors become better at writing code and exploiting vulnerabilities. Be sure your organization is following best practices for ransomware, like using zero-trust security and other next-generation security products and architectures.

Also see