Danny Palmer
| October 14, 2021
| Topic: Security
The ransomware threat is growing: What needs to happen to stop attacks getting worse?
Watch Now
Cyber criminals are distributing a new form of ransomware in attacks against victims in which they not only encrypt the network, but also make threats to launch distributed denial of service (DDoS) attacks and to harass employees and business partners if a ransom isn’t paid.
Dubbed Yanluowang, the ransomware was uncovered by cybersecurity researchers in Broadcom Software’s Symantec Threat Hunter team while they were investigating as attempted cyberattack against an undisclosed large organsation.
While the attempted attack wasn’t successful, the investigation revealed a new form of ransomware. It also provided insight into how some cyber criminals are attempting to make attacks more effective – in this case, with the threat of additional attacks.
SEE: A winning strategy for cybersecurity (ZDNet special report)
Yanluowang drops a ransom note telling the victim they’ve been infected with ransomware, telling them to message a contact address to negotiate a ransom payment. The note warns victims not to contact the police, FBI or authorities, and not to contact a cybersecurity company – it’s implied that if the victim does this, they won’t get their data back.
But the cyber criminals behind Yanluowang go even further with their threats, suggesting that if the victim calls in outside help, they’ll launch DDoS attacks against the victim – overflowing their websites with so much traffic they’ll crash – and they’ll make calls to employees and business partners. They also suggest that if the victim isn’t cooperative, they’ll return with additional attacks or even delete the encrypted data so it’s lost forever.
“It’s difficult to say if this is a genuine threat. However, it’s certainly in line with what we’re seeing from other ransomware actors who seem to feel threatened by victims calling in law enforcement or sharing information with third parties,” Dick O’Brien, principal editor at Symantec, told ZDNet.
It’s still unclear how the cyber criminals gained access to the network, but researchers uncovered the attack after identifying suspicious use of AdFind, a legitimate command line in the Active Directory query tool.
This tool is often abused by ransomware attackers and is used as a reconnaissance technique for exploiting Active Directory and finding additional ways to secretly move around the network, with the ultimate goal of deploying ransomware.
In this case, the attackers attempted to deploy ransomware just days after the suspicious activity was identified – and ultimately the attempted ransomware attack was prevented because the tell-tale signs of an attack had been recognised and blocked.
Related Topics:
Security TV
Data Management
CXO
Data Centers
Danny Palmer
| October 14, 2021
| Topic: Security