New “Yanluowang” Ransomware Variant Discovered

New "Yanluowang" Variant Discovered

researchers are warning of a newly discovered ransomware variant currently being used in targeted attacks.


It appears that the group using the variant first deployed legitimate command-line query tool AdFind for reconnaissance and to help with lateral movement.

Before Yanluowang is downloaded, an additional tool creates a .txt file with the number of remote machines to check in the command line and uses WMI to get a list of processes running on these machines.

It also logs all the processes and remote machine names, Symantec said.

Then, following deployment, the stops all hypervisor machines running on the targeted machine, ends the processes listed in the .txt file, encrypts the files and drops a ransom note named README.txt.

The note purpotedly warns victims not to contact the or any specialized ransomware negotiation firms.

Read More: