According to a new research, a threat actor related to the Thieflock ransomware operation may now be using the Yanluowang malware. The ransomware was used in a number of attacks on US entities.
When the Yanluowang ransomware was found targeting major entities in the United States in October, Symantec researchers discovered a link between Thieflock and Yanluowang ransomware.
Since August, the Yanluowang ransomware has targeted businesses in the IT services, manufacturing, engineering, and consulting industries.
Since the ransomware behaviour hasn’t changed since its detection, researchers believe the attackers are very attack-oriented.
How did the link was established?
Researchers discovered a link between the new Yanluowang ransomware attacks and older Thieflock ransomware attacks, which were created by the Canthroid group (aka Fivehands).
Yanluowang attackers deployed Adfind, SoftPerfect Network Scanner, or netscan.exe for lateral movement, which is identical to what has been observed in Thieflock attacks.
In the next stage of the attack, several tools (GrabFF, GrabChrome, and BrowserPassView) was utilised to steal credentials. Thieflock attackers employed the same tools in their attacks.
Researchers believe that one or more cybercriminal groups deployed Thieflock in earlier attacks, and that they are also involved in the deploying of Yanluowang ransomware in their attacks.
A Brief Conclusion
When partners or affiliates of ransomware groups perceive higher financial incentives, they frequently switch to another groups. This pattern is also seen when they are being pursued by law enforcement agencies. Whatever the case may be with Thieflock, businesses should adopt a strong anti-ransomware strategy.