Yanluowang Ransomware Tied to Thieflock Threat Actor

Links between the tactics and tools demonstrated in attacks suggest a former affiliate has switched loyalties, according to new research.

A threat actor previously tied to the Thieflock ransomware operation may now be using the emerging Yanluowang ransomware in a series of attacks against U.S. corporations, researchers have found.

Researchers from Symantec, a division of Broadcom Software, found ties between Thieflock and Yanluowang, the latter of which they revealed in October after observing its use against a large organization.

Researchers believe a threat actor has been using Yanluowang since August to target mainly financial companies in the United States, they said in a report published Tuesday. The actor also has attacked companies in the manufacturing, IT services, consultancy and engineering sectors with the novel ransomware, they said.


Researchers found a “tentative link” between the new Yanluowang attacks and older attacks involving Thieflock, a ransomware-as-a-service (RaaS) developed by the Canthroid group, also known as Fivehands.

This demonstrates how “little loyalty” there is among ransomware actors, particularly those who act as affiliates of RaaS operations, Vikram Thakur, principal research manager at Symantec, a division of Broadcom, told Threatpost in an email interview on Monday ahead of the report’s release.

Read More: https://threatpost.com/yanluowang-ransomware-thieflock-threat-actor/176640/