"New "Yanluowang" Ransomware Variant Discovered"

Security researchers at Symantec are warning of a newly discovered ransomware variant currently being used in targeted attacks.  The new ransomware is dubbed “Yanluowang” after the .yanluowang extension it adds to encrypted files.  The researchers stated that it appears that the group using the variant first deployed the legitimate command-line Active Directory query tool AdFind for reconnaissance and to help with lateral movement.  Before Yanluowang is downloaded, the researchers noted that an additional tool creates a .txt file with the number of remote machines to check in the command line and uses WMI to get a list of processes running on these machines.  It also logs all the processes and remote machine names, the researchers said.  Then, following deployment, the malware stops all hypervisor machines running on the targeted machine, ends the processes listed in the .txt file, encrypts the files, and drops a ransom note named README.txt.  The researchers stated that the ransom note says that if the attackers’ rules are broken, the ransomware operators will conduct distributed denial of service (DDoS) attacks against the victim and make calls to employees and business partners.  The adversaries also threaten to repeat the attack in a few weeks and delete the victim’s data.  The researcher stated that this ransomware appears to be still under development but should not be underestimated. 

Infosecurity reports: "New "Yanluowang" Ransomware Variant Discovered"