BleepingComputer reports that enterprises are being subjected to highly targeted attacks using the new Yanluowang ransomware.
Symantec Threat Hunter Team researchers discovered Yanluowang during an investigation of a cybersecurity incident in a high-profile organization following suspicious use of the AdFind command line Active Directory query tool was reported.
Threat actors have been found to deliver Yanluowang throughout the organization's systems after launching a malicious tool with key capabilities. Deployment of Yanluowang will then enable disruption of hypervisor virtual machines, stoppage of all precursor tool-harvested processes, file encryption and the addition of the .yanlouwang extension.
Meanwhile, victims have been urged in a ransom note not to inform authorities or ransomware negotiation companies regarding the attack.
"If the attackers' rules are broken the ransomware operators say they will conduct distributed denial of service (DDoS) attacks against the victim, as well as make 'calls to employees and business partners'. The criminals also threaten to repeat the attack "in a few weeks" and delete the victim’s data," said researchers.
Symantec Threat Hunter Team researchers discovered Yanluowang during an investigation of a cybersecurity incident in a high-profile organization following suspicious use of the AdFind command line Active Directory query tool was reported.
Attackers purporting to be Royal Mail distributed malicious emails about a failed package delivery with a PDF attachment that included a link redirecting to a Dropbox-hosted ZIP file, which then facilitated the execution of Prince ransomware.
Such websites, which are operated under "AI Nude" and are advanced by black hat SEO techniques, promise the conversion of uploaded photos into deepfake nudes but display a link, which when clicked redirected to another site with the password and link to the password-protected Dropbox-hosted archive that contains the infostealer malware.
Both iOS and Android devices have been targeted with attacks involving the fake app dubbed "SB-INT," which lured victims into manually trusting the Enterprise developer profile before triggering the registration process that would seek additional information from victims.