December 01, 2021

Yanluowang Ransomware Linked to Thieflock Affiliate

Industry: Consultancy, Engineering, Financial & Manufacturing | Level: Tactical | Source: Symantec

Yanluowang ransomware group, active since at least August 2021, have been targeting US Corporations, specifically in the financial, manufacturing, IT, consultancy, and engineering sectors. The group has been utilizing TTPs similar to Theiflock ransomware attacks. Based on observations by Symantec, it seems there is a link, or a shifting of allegiances from Thieflock to the Yanluowang ransomware family. Notable noticed TTP patterns have been the usage of BazarLoader for initial access, PowerShell to download tools enabling RDP in the registry, Adfind for reconnaissance, and the usage of other various credential-stealing tools.

  • Anvilogic Scenario: Yanluowang Ransomware – Behaviors
  • Anvilogic Use Cases:
    • RDP Enabled
    • Adfind Execution
    • pypykatz commands