Another ransomware strain is known as Yanluowang. Here are some of my bookmarks that I’ve tagged as Yanluowang: https://pinboard.in/u:droberson/t:yanluowang/
This blog post by Symantec was very interesting to me, as it presented a lot of generic examples of post-exploitation activity that was observed by the operators of this ransomware: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-ransomware-attacks-continue
Particularly, this article mentions the following software being used in these intrusions:
- ConnectWise (formerly ScreenConnect)
- ADFind
- SoftPerfect Network Scanner
- GrabFF
- GrabChrome
- BrowserPassView
- KeeThief
- secretsdump.exe
- Screen capture tools
- Cobalt Strike
This is interesting because this is how attackers actually operate. These are the tools that they are using. Reading other research articles such as the one linked above, these tools often make repeat appearances across different groups and malware families.
Being able to detect the tools that these folks are using can be helpful to incident responders. Many of these tools may be authorized or expected within your environment, but it is probably worth investigating if you discover any of them on your network.
I found a couple of samples of this ransomware on VX-Underground: https://samples.vx-underground.org/samples/Families/YanluowangRansomware/
These samples both included a string with the following PDB:
C:\Users\111\Desktop\wifi\project\ConsoleApplication2\Release\ConsoleApplication2.pdbPDB paths can be used to track similar malware families and may provide attribution for malware. This is highlighted in the following post:
The following YARA rule may find variations of this ransomware:
rule yanluowang_pdb
{
meta:
description = "PDB path found in Yanluowang ransomware samples"
strings:
$ = "C:\\Users\\111\\Desktop\\wifi\\project\\ConsoleApplication2\\Release\\ConsoleApplication2.pdb"
condition:
all of them
}
DMFR SECURITY 
Pingback: Week 02 – 2022 – This Week In 4n6