Security News > 2021 > November > Yanluowang Ransomware Tied to Thieflock Threat Actor

A threat actor previously tied to the Thieflock ransomware operation may now be using the emerging Yanluowang ransomware in a series of attacks against U.S. corporations, researchers have found.

Researchers found a "Tentative link" between the new Yanluowang attacks and older attacks involving Thieflock, a ransomware-as-a-service developed by the Canthroid group, also known as Fivehands.

Researchers provided a rundown of some of the tools used in Yanluowang attacks, some of which share a similar activity of Thieflock attacks "That makes us believe the person behind the attacks is well-versed with how Thieflock used to be deployed," Thakur told Threatpost.

For lateral movement to identify systems of interest to target - i.e., an Active Directory server - Yanluowang attackers deploy Adfind, a free tool that can be used to query Active Directory; and SoftPerfect Network Scanner, or netscan.

Several tools are then used in the next phase of the attack for credential theft that Thieflock attackers also have been seen using.

Despite the links between the use of some tools and tactics in Yanluowang attacks that align with Thieflock, Thakur said that at this point it does not seem like the two ransomware variants share authorship.

News URL

https://threatpost.com/yanluowang-ransomware-thieflock-threat-actor/176640/