Security News > 2021 > November > Yanluowang ransomware operation matures with experienced affiliates
An affiliate of the recently discovered Yanluowang ransomware operation is focusing its attacks on U.S. organizations in the financial sector using BazarLoader malware in the reconnaissance stage.
While its interest is in financial institutions, the Yanluowang ransomware affiliate has also targeted companies in the manufacturing, IT services, consultancy, and engineering sectors.
Looking at the tactics, techniques, and procedures, the researchers noticed a possible connection to older attacks with the Thieflock, a ransomware operation developed by the Fivehands group.
Fivehands ransomware itself is relatively new on the scene, becoming known in April - first in a report from Mandiant, who is tracking its developer as UNC2447, and then in an alert from CISA. At the time, Mandiant said that UNC2447 showed "Advanced capabilities to evade detection and minimize post-intrusion forensics," and that its affiliates had been deploying RagnarLocker ransomware.
"This link begs the question of whether Yanluowang was developed by Canthroid. However, analysis of Yanluowang and Thieflock does not provide any evidence of shared authorship. Instead, the most likely hypothesis is that these Yanluowang attacks may be carried out by a former Thieflock affiliate," the researchers say.
In a previous report about Yanluowang attacks, the company said that the hackers threatened with distributed denial-of-service and data wiping attacks if the victim did not comply with the demands.