The worlds leading information technology company Cisco has recently been a victim of the Yanlouwang ransomware group where threat actors managed to breach Ciscos corporate network and extort data amounting to 2.8GB.
The Yanlouwang is still a recent ransomware as it was seen in targeted attacks on US corporations since at least in August of 2021, with its most recent attack focused on Cisco in May of 2022. However, over the years, the group has increased their targeted scope to companies in manufacturing, IT services consultancy and engineering, and have also targeted other countries such as Brazil and Turkey.
What is interesting about Yanlouwang is that its files are coded-signed using a valid digital signature. Researchers have suggested that these digital signatures were either stolen or fraudulently signed. Code signing is performed to validate the authenticity of a piece of software; thus, code-signed malware can appear legitimate and non-malicious, allowing it to bypass certain security measures.
Comparisons of Yanlouwang was drawn to the ransomware threat actor Thieflock, as Youlouwang has seemingly used similar tools, tactics and procedures (TTPs) as Thieflock. Many researchers assumed that the threat actor using Yanglouwag must be an affiliate of Thieflock. Although the ransomware has been staging targeted attacks to large organizations, researchers from Kaspersky have found that the ransomware was underdeveloped, where flaws were found in the ransomwares RSA-1024 asymmetric encryption algorithm and this enabled the kaspersky team to develop a decryptor for the encryption.
How it works
Yanluowang requires parameters to be executed on an infected system, meaning it will be executed either manually or through a combination of scripts in the compromised system. It also can be executed remotely through remote desktop tools.
Upon execution, the ransomware stops all hypervisor virtual machines if any are present on the compromised system. It will then proceed to terminate all SQL and Veeam processes, which are processes related to managing databases and backups. Termination of these database-related and backup processes could potentially lead to loss of access to backup files which will make it harder to recover from the ransomware attack. The ransomware will then encrypt files on the compromised system using the RSA-1024 asymmetric algorithm and append each file with the .yanluowang extension. A ransom note is then dropped on the compromised system.
Indicators of Compromise
The hashes and strings below correspond to files linked to the Yanlouwang ransomware:
Ransom.Yanluowang (File based)
Trojan-Ransom.Win32.Yanluowang (File Threat Protection)
A decryptor from the Kaspersky team has been developed and can be downloaded from this website: https://www.pcrisk.com/removal-guides/24226-yanluowang-ransomware
To circumvent this type of malware, users are advised to follow the steps below:
Implement a strong password policy such as multifactor authentication where possible and account reset after a certain number of failed attempts.
Do not expose remote desktop services (such as RDP) to public networks.
Always keep software up to date on all your devices to prevent ransomware from exploiting vulnerabilities.
Focus your defense strategy on detecting lateral movement and data exfiltration to the Internet.
The Guyana National CIRT recommends that users and administrators review this alert and make changes where necessary.
PDF Download: Yanluowang-ransomware.pdf
Rivero, M. and Zinchenko, Y. (2022, April 18). NHow to recover files encrypted by Yanluowang. Retrieved from Securelist by Kaspersky. https://securelist.com/how-to-recover-files-encrypted-by-yanluowang/106332/
Nichols, S. (2022, April 20). Kaspersky releases decryptor for Yanluowang ransomware. Retrieved from TechTarget. https://www.techtarget.com/searchsecurity/news/252516152/Kaspersky-releases-decryptor-for-Yanluowang-ransomware
Threat Hunter Team. (2021, October 14). New Yanluowang Ransomware Used in Targeted Attacks. Retrieved from Broadcom Software.https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-targeted-ransomware
Ladores, D. O. (2021, December 10). New Yanluowang Ransomware Found to be Code-Signed, Terminates Database-Related Processes. Retrieved from TrendMicro. https://www.trendmicro.com/en_us/research/21/l/yanluowang-ransomware-code-signed-terminates-database-processes.html
Avertium. (2021, December 7). An In-Depth Look at Yanluowang Ransomware. Retrieved from Avertium.https://www.avertium.com/resources/threat-reports/in-depth-look-at-yanluowang-ransomware
Gatlan, S. (2022, August 10). Cisco hacked by Yanluowang ransomware gang, 2.8GB allegedly stolen. Retrieved from Bleepingcomputer. https://www.bleepingcomputer.com/news/security/cisco-hacked-by-yanluowang-ransomware-gang-28gb-allegedly-stolen/