Multinational technology company Cisco attacked by Yanluowang ransomware (11th August 2022)

Ref# AL2022_49 | Date: Aug 12th 2022


The worlds leading information technology company Cisco has recently been a victim of the Yanlouwang ransomware group where threat actors managed to breach Ciscos corporate network and extort data amounting to 2.8GB. 


The Yanlouwang is still a recent ransomware as it was seen in targeted attacks on US corporations since at least in August of 2021, with its most recent attack focused on Cisco in May of 2022. However, over the years, the group has increased their targeted scope to companies in manufacturing, IT services consultancy and engineering, and have also targeted other countries such as Brazil and Turkey. 

What is interesting about Yanlouwang is that its files are coded-signed using a valid digital signature. Researchers have suggested that these digital signatures were either stolen or fraudulently signed. Code signing is performed to validate the authenticity of a piece of software; thus, code-signed malware can appear legitimate and non-malicious, allowing it to bypass certain security measures. 

Comparisons of Yanlouwang was drawn to the ransomware threat actor Thieflock, as Youlouwang has seemingly used similar tools, tactics and procedures (TTPs) as Thieflock. Many researchers assumed that the threat actor using Yanglouwag must be an affiliate of Thieflock. Although the ransomware has been staging targeted attacks to large organizations, researchers from Kaspersky have found that the ransomware was underdeveloped, where flaws were found in the ransomwares RSA-1024 asymmetric encryption algorithm and this enabled the kaspersky team to develop a decryptor for the encryption. 

How it works  

Yanluowang requires parameters to be executed on an infected system, meaning it will be executed either manually or through a combination of scripts in the compromised system. It also can be executed remotely through remote desktop tools.  

Upon execution, the ransomware stops all hypervisor virtual machines if any are present on the compromised system. It will then proceed to terminate all SQL and Veeam processes, which are processes related to managing databases and backups. Termination of these database-related and backup processes could potentially lead to loss of access to backup files which will make it harder to recover from the ransomware attack. The ransomware will then encrypt files on the compromised system using the RSA-1024 asymmetric algorithm and append each file with the .yanluowang extension. A ransom note is then dropped on the compromised system. 

Indicators of Compromise   

The hashes and strings below correspond to files linked to the Yanlouwang ransomware: 

  • Ransom.Yanluowang (File based)  

  • Trojan-Ransom.Win32.Yanluowang (File Threat Protection)  

  • d11793433065633b84567de403c1989640a07c9a399dd2753aaf118891ce791c (SHA-256) 

  • 49d828087ca77abc8d3ac2e4719719ca48578b265bbb632a1a7a36560ec47f2d (SHA-256) 

  • 2c2513e17a23676495f793584d7165900130ed4e8cccf72d9d20078e27770e04 (SHA-256) 

  • afaf2d4ebb6dc47e79a955df5ad1fc8a (MD5) 

  • ba95a2f1f1f39a24687ebe3a7a7f7295 (MD5) 


A decryptor from the Kaspersky team has been developed and can be downloaded from this website: 

To circumvent this type of malware, users are advised to follow the steps below:  

  1. Implement a strong password policy such as multifactor authentication where possible and account reset after a certain number of failed attempts. 

  2. Do not expose remote desktop services (such as RDP) to public networks.  

  3. Always keep software up to date on all your devices to prevent ransomware from exploiting vulnerabilities.  

  4. Focus your defense strategy on detecting lateral movement and data exfiltration to the Internet.  

The Guyana National CIRT recommends that users and administrators review this alert and make changes where necessary. 

PDF Download: Yanluowang-ransomware.pdf