Yanluowang, the ransomware recently discovered by Symantec, a division of Broadcom Software, is now being used by a threat actor that has been mounting targeted attacks against U.S. corporations since at least August 2021. The attacker uses a number of tools, tactics, and procedures (TTPs) that were previously linked to Thieflock ransomware attacks, suggesting that they may have been a Thieflock affiliate who shifted allegiances to the new Yanluowang ransomware family.
The attackers have been heavily focused on organizations in the financial sector but have also targeted companies in the manufacturing, IT services, consultancy, and engineering sectors.
In most cases, PowerShell is used to download tools to compromised systems including BazarLoader to assist in reconnaissance. The attackers then enable RDP via registry to enable remote access. After gaining initial access, the attackers usually deploy ConnectWise (formerly known as ScreenConnect), a legitimate remote access tool.