Broadcom Software's Symantec Threat Hunter Team discovers first-of-its-kind ransomware

3 years ago 358

The caller ransomware family, called Yanluowang, appears to inactive beryllium nether improvement and lacks immoderate blase features recovered successful akin code. Nonetheless, Symantec said, it's dangerous.

istock-645374756.jpg

kaptnali, Getty Images/iStockphoto

The Symantec Threat Hunter Team astatine Broadcom Software has discovered what appears to beryllium a marque caller household of ransomware named aft the Chinese deity that judges the souls of the dead.

Yanluowang is the cleanable ransomware for the Halloween season, though this peculiar malevolent integer tone lacks the subtlety and sophistication of immoderate of its much established (and much terrifying) brethren.

The deficiency of blase features (and its unknownness) clued researchers into the information that Yanluowang was apt new, alternatively than conscionable poorly coded. "It's imaginable that implementing this was beyond the quality of the developers, but we deliberation it's much apt that they program to instrumentality it astatine a aboriginal day and this was a minimum viable product," said Symantec main exertion Dick O'Brien. 

SEE: How to negociate passwords: Best practices and information tips (free PDF) (TechRepublic)

It's chartless wherever Yanluowang came from, who's down it oregon if it has been utilized successful immoderate attacks different than the 1 that Symantec responded to against an unnamed "large organization." Among the files it obtained was codification that Symantec said seemed to travel from an underdeveloped ransomware family, and they were clued successful by immoderate suspicious usage of the Active Directory query instrumentality AdFind.

"This instrumentality is often abused by ransomware attackers arsenic a reconnaissance tool, arsenic good arsenic to equip the attackers with the resources that they request for lateral question via Active Directory. Just days aft the suspicious AdFind enactment was observed connected the unfortunate organization, the attackers attempted to deploy the Yanluowang ransomware," Symantec's study said.

Yanluowang besides leaves a fewer signs down connected a compromised machine earlier it really deploys the ransomware itself: a .txt record with the fig of distant machines connected the web is created, which is tally against Windows Management Instrumentation to get a database of processes moving connected those machines, which are successful crook logged to the .txt record for aboriginal retrieval. 

Once installed, the Yanluowang ransomware itself stops each hypervisor VMS moving connected a compromised machine, ends processes listed successful the .txt file, encrypts files and drops a readme with a ransom enactment successful it connected the infected machine. 

The enactment itself warns victims not to telephone instrumentality enforcement oregon a negotiator, the effect of which would beryllium DDoS attacks against the unfortunate and calls to concern partners to pass them of the infection. That concatenation of events would repeat, with information deletion being the eventual outcome. 

O'Brien said that, portion new, nary constituent of the Yanluowang ransomware is unique. That doesn't mean Yanluowang isn't a threat, though. "[Yanluowang] whitethorn not beryllium arsenic blase arsenic immoderate of its peers, but a palmy onslaught would nevertheless beryllium highly disruptive to immoderate organization," O'Brien said. 

SEE: Security incidental effect policy (TechRepublic Premium)

Ransomware isn't a occupation acceptable to spell distant anytime soon. If anything, it'll lone get worse arsenic ransomware actors go amended astatine penning codification and exploiting vulnerabilities. Be definite your enactment is pursuing best practices for ransomware, similar utilizing zero-trust security and different next-generation information products and architectures.

Cybersecurity Insider Newsletter

Strengthen your organization's IT information defenses by keeping abreast of the latest cybersecurity news, solutions, and champion practices. Delivered Tuesdays and Thursdays

Sign up today

Also spot

Read Entire Article