Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Yanluowang Ransomware Gang. Show all posts

Ransomware Threat Actors on the Rise in US, Target Big Organizations

 

A hacker earlier linked with the Thieflock ransomware campaign, currently might be using the rising Yanluowang ransomware in a chain of attacks against U.S organizations. Symantec cybersecurity experts, a subdivision of Broadcom software, discovered links between Yanluowang and Thieflock, details of the former were revealed in October after experts found its use against a big firm. They believe that a hacker has been using this ransomware to attack financial organizations in the U.S. The threat actor also compromised various firms in the manufacturing sector, engineering, consultancy, and IT services, using the novel ransomware.

Experts noticed a probable link between new Yanluowang attacks and earlier attacks which involved Thieflock, a RaaS (ransomware as a service), built by the Canthroid group, aka Fivehands. This shows how there's no loyalty in ransomware users, especially those who work as affiliates of RaaS operations. As per ThreatPost, "Data-capture tools are also part of the attack vector, including a screen capture tool and a file exfiltration tool (filegrab.exe), as well as Cobalt Strike Beacon, which researchers saw deployed against at least one target." 

The ransomware developers pivot here and there, they switch business based on profit margins offered by ransomware threat actors, there's no loyalty in the business, says Vikram Thakur, chief research manager at Symantec. The experts have given a summary of some of the tools used in these attacks (Yanluowang), a few of these share some commonalities with the 

Thieflock attacks, which may lead someone to believe that the actor orchestrating the attack is an expert with Thieflock's deployment. "In most scenarios, attackers use PowerShell to download tools to compromised systems, including BazarLoader, which assists in reconnaissance of a system before attacks occur. The attackers then enable RDP via registry to enable remote access, deploying the legitimate remote access tool ConnectWise, formerly known as ScreenConnect, once they’ve gained this access," said ThreatPost.

The New Yanluowang Ransomware Gang is Targeting US Businesses

 

Symantec recently identified a new ransomware strain known as Yanluowang in targeted operations against US companies. 

The Symantec Threat Hunter team has found a "new arrival to the targeted ransomware scene" during October that seemed to have been in the development stage. Nevertheless, according to a blog post published on Wednesday 1st of December 2021, the variation dates back to at least August of this year. As per Symantec, the operators behind Yanluowang mostly targeted financial firms, although businesses in the manufacturing, IT services, consulting, and engineering industries have also been attacked. 

According to Vikram Thakur, technical director at Symantec, the danger is more opportunistic than carefully focused ransomware attacks. Thakur has encountered the majority of situations involving unfixed Microsoft Exchange servers or Internet Information Services (ISS) servers. 

Symantec detected multiple evidence of compromise, including the usage of publicly available tools such as AdFind to locate the victim's Active Directory server and SoftPerfect Network Scanner, which finds hostnames and network services. Yanluowang threat actors frequently employ BazarLoader, a malware version typically employed in the early stages of ransomware assaults. 

"Once attackers get onto the computer, they take the installer for ConnectWise type applications and then double click on it and then they install it," Thakur said. 

"If I was to take a look at the last 100 ransomware connected investigations over the last couple of months, attackers have always installed it on the computer rather than relying upon something that's already there." 

In most cases, according to the blog post, "PowerShell was used to download tools to compromised systems." 

"After gaining initial access, the attackers usually deploy ConnectWise (formerly known as ScreenConnect), a legitimate remote access tool."  

Among the most recent attack phases detected by Symantec is featured credential theft employing a variety of credential-stealing programs, including GrabChrome, which collects credentials from Chrome. Open-source tools such as KeeThieft, described by Symantec as a "PowerShell script to copy the master key from KeePass" have also been used. 

While investigating the new ransomware outbreak, Symantec Threat Intelligence discovered certain tactics, methods, and procedures (TTP) that are similar to Thieflock, a well-known ransomware-as-a-service "developed by the Canthroid". 

The usage of "custom password recovery tools such as GrabFF and other open-source password dumping tools." was mentioned in one link.

To counteract the Yanluowang threat, Thakur proposes that businesses must audit the computers on their network and hunt for unapproved software. 

"The simplest solution is when patches are released for the applications on your machines, test them, deploy them as quickly as possible, because attackers are going to exploit them in just a matter of days after," he added.