Cybercriminals are distributing a new form of ransomware in attacks against victims in which they not only encrypt the network but also make threats to launch distributed denial of service (DDoS) attacks and to harass employees and business partners if a ransom isn’t paid.
Dubbed Yanluowang, the ransomware was uncovered by cybersecurity researchers in Broadcom Software’s Symantec Threat Hunter team while they were investigating an attempted cyberattack against a large undisclosed organization.
While the attempted attack wasn’t successful, the investigation revealed a new form of ransomware. It also provided insight into how some cybercriminals are attempting to make attacks more effective — in this case, with the threat of additional attacks.
See also: A winning strategy for cybersecurity (ZDNet special report).
Yanluowang drops a ransom note telling the victim they’ve been infected with ransomware, telling them to message a contact address to negotiate a ransom payment. The note warns victims not to contact the police, FBI or authorities, and not to contact a cybersecurity company — it’s implied that if the victim does this, they won’t get their data back.
But the cybercriminals behind Yanluowang go even further with their threats, suggesting that if the victim calls in outside help, they’ll launch DDoS attacks against the victim — overflowing their websites with so much traffic that they’ll crash — and they’ll make calls to employees and business partners. They also suggest that if the victim isn’t cooperative, they’ll return with additional attacks or even delete the encrypted data, so it’s lost forever.
“It’s difficult to say if this is a genuine threat. However, it’s certainly in line with what we’re seeing from other ransomware actors who seem to feel threatened by victims calling in law enforcement or sharing information with third parties,” Dick O’Brien, principal editor at Symantec, told ZDNet.
It’s still unclear how the cybercriminals gained access to the network. Still, researchers uncovered the attack after identifying suspicious use of AdFind, a legitimate command line in the Active Directory query tool.
This tool is often abused by ransomware attackers and is used as a reconnaissance technique for exploiting Active Directory and finding additional ways to secretly move around the network, with the ultimate goal of deploying ransomware.
In this case, the attackers attempted to deploy ransomware just days after the suspicious activity was identified — and ultimately, the attempted ransomware attack was prevented because the tell-tale signs of an attack had been recognized and blocked.
Nonetheless, the emergence of yet another new ransomware group, particularly one making additional threats in order to coerce victims into paying ransoms, is an unwelcome development.
The ransomware appears to be a work in progress so that it could become more effective in future. However, there are steps that organizations can take to protect their businesses from this threat and other forms of ransomware.
“Broadly speaking, they should adopt a defense in depth strategy, using multiple detections, protection, and hardening technologies to mitigate risk at each point of the potential attack chain,” said O’Brien.
“Only allow RDP [Remote Desktop Protocol] from specific known IP addresses. We’d also advise implementing proper audit and control of administrative account usage,” he added.
Other actions organizations can take to help protect against ransomware, and other cyberattacks include applying security patches as soon as possible, so cybercriminals can’t exploit known vulnerabilities to access the network. Organizations should also equip users with multi-factor authentication tools, so it’s more difficult for cybercriminals to take advantage of breached usernames and passwords.