New Yanluowang ransomware mounting targeted attacks in US

Symantec threat analysts observed the new ransomware operation abusing legitimate tools such as ConnectWise's remote access product to move laterally inside networks.

A new ransomware threat tracked by Symantec as Yanluowang has been observed in targeted attacks against U.S. companies.

In October, the Symantec Threat Hunter team uncovered a "new arrival to the targeted ransomware scene" that appeared to be in the development stage. However, a blog post published Wednesday revealed the variant has been in use since at least August of this year. Operators behind Yanluowang primarily focus on financial organizations, according to Symantec, but companies in manufacturing, IT services, consultancy and engineering sectors have also been targeted.

Vikram Thakur, technical director at Symantec, told SearchSecurity that the threat is not highly targeted ransomware attempts, but more opportunistic. A majority of cases Thakur has seen are either unpatched Microsoft Exchange servers or Internet Information Services (ISS) servers.

Symantec discovered several indicators of compromise, including the use of public tools like AdFind to identify the victim's Active Directory server and SoftPerfect Network Scanner, which discovers hostnames and network services. Yanluowang threat actors also use BazarLoader, a malware variant that is commonly used in the initial stages of ransomware attacks.

In most cases, according to the blog post, "PowerShell was used to download tools to compromised systems." Threat actors also deployed ConnectWise Control, a widely used remote access management product.

"After gaining initial access, the attackers usually deploy ConnectWise (formerly known as ScreenConnect), a legitimate remote access tool," the blog post said.

The deployment and use of ConnectWise Control is common, Thakur said, because it's a legitimate application that won't be flagged by endpoint or network security products.

"Once attackers get onto the computer, they take the installer for ConnectWise type applications and then double-click on it and then they install it," Thakur said. "If I was to take a look at the last 100 ransomware connected investigations over the last couple of months, attackers have always installed it on the computer rather than relying upon something that's already there."

Thakur said the blog post was intended not only to talk about a new ransomware threat but to alert readers to start looking for suspicious ConnectWise activity.

UPDATE 12/2: ConnectWise sent the following statement from Chief Product Officer Jeff Bishop:

"Although we have not confirmed our software was used in conjunction with this recent malicious activity, we are deeply concerned when any legitimate screenshare application -- ours or a competitor's -- is used by threat actors after they gain access to their target's environment. There is no known vulnerability with respect to accessing our screenshare solution, so this appears to be an unfortunate case of a bad actor using legitimate software for an illegitimate use," Bishop said.

"ConnectWise deploys ongoing, modern AI-driven techniques to detect and shut down unethical and illegal misuse of our products, but it's a constantly evolving threat landscape that requires adaptation in near real-time. As such, we regularly work with multiple organizations to refine our detection algorithms. We will assist authorities in any way we can if it is helpful to their investigation."

One of the last attack phases Symantec observed involved credential theft using a wide range of credential-stealing tools including GrabChrome, which gathers passwords from Chrome. Open source tools such as KeeThieft, which Symantec describes as a "PowerShell script to copy the master key from KeePass," were used as well.

While observing the new ransomware strain, the Symantec team noted some tactics, techniques and procedures (TTP) that overlap with Thieflock, a known ransomware as a service "developed by the Canthroid." One link included the use of "custom password recovery tools such as GrabFF and other open-source password dumping tools."

Though Symantec referred to the possible connection as a "tentative link," the team hypothesized that the targeted "Yanluowang attacks may be carried out by a former Thieflock affiliate."

An alert from the FBI's Internet Crime Complaint Center last month highlighted another recent example of targeted ransomware. The Private Industry Notification warned that ransomware gangs could use public and non-public financial information such mergers and acquisitions to target and extort companies into paying a ransom demand.

To mitigate the Yanluowang threat, Thakur recommends that enterprises audit the computers they have on their network and look for applications that were not authorized.

"The simplest solution is when patches are released for the applications on your machines, test them, deploy them as quickly as possible, because attackers are going to exploit them in just a matter of days after," he said.

Next Steps

Recent surge in ransomware attacks threatens national security

ConnectWise ScreenConnect flaws under attack, patch now

Dig Deeper on Threats and vulnerabilities

Enterprise Desktop
  • Understanding how GPOs and Intune interact

    Group Policy and Microsoft Intune are both mature device management technologies with enterprise use cases. IT should know how to...

  • Comparing MSI vs. MSIX

    While MSI was the preferred method for distributing enterprise applications for decades, the MSIX format promises to improve upon...

  • How to install MSIX and msixbundle

    IT admins should know that one of the simplest ways to deploy Windows applications across a fleet of managed desktops is with an ...

Cloud Computing