{ "id": "a7b824fa-5594-4403-8db1-5fe895dc1dd9", "created_at": "2026-04-06T00:22:19.238292Z", "updated_at": "2026-04-10T03:21:47.016861Z", "deleted_at": null, "sha1_hash": "d5f419ef2357fb5fb15511c8f3c4ff543f890b62", "title": "New Yanluowang Ransomware Used in Targeted Attacks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 37578, "plain_text": "New Yanluowang Ransomware Used in Targeted Attacks\r\nBy About the Author\r\nArchived: 2026-04-05 14:48:27 UTC\r\nThe Symantec Threat Hunter Team, a part of Broadcom Software, has uncovered what appears to be a new\r\nransomware threat called Yanluowang that is being used in targeted attacks.\r\nIn a recent attempted ransomware attack against a large organization, Symantec obtained a number of malicious\r\nfiles that, upon further investigation, revealed the threat to be a new, if somewhat underdeveloped, ransomware\r\nfamily.\r\nThe Threat Hunter Team first spotted suspicious use of AdFind, a legitimate command-line Active Directory query\r\ntool, on the victim organization’s network. This tool is often abused by ransomware attackers as a reconnaissance\r\ntool, as well as to equip the attackers with the resources that they need for lateral movement via Active Directory.\r\nJust days after the suspicious AdFind activity was observed on the victim organization, the attackers attempted to\r\ndeploy the Yanluowang ransomware.\r\nBefore the ransomware is deployed on a compromised computer, a precursor tool carries out the following\r\nactions:\r\nCreates a .txt file with the number of remote machines to check in the command line\r\nUses Windows Management Instrumentation (WMI) to get a list of processes running on the remote\r\nmachines listed in the .txt file\r\nLogs all the processes and remote machine names to processes.txt\r\nThe Yanluowang ransomware is then deployed and carries out the following actions:\r\nStops all hypervisor virtual machines running on the compromised computer\r\nEnds processes listed in processes.txt, which includes SQL and back-up solution Veeam\r\nEncrypts files on the compromised computer and appends each file with the .yanluowang extension\r\nDrops a ransom note named README.txt on the compromised computer\r\nThe ransom note dropped by Yanluowang warns victims not to contact law enforcement or ransomware\r\nnegotiation firms. If the attackers’ rules are broken the ransomware operators say they will conduct distributed\r\ndenial of service (DDoS) attacks against the victim, as well as make “calls to employees and business partners.”\r\nThe criminals also threaten to repeat the attack “in a few weeks” and delete the victim’s data.\r\nProtection\r\nFile based:\r\nRansom.Yanluowang\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-targeted-ransomware\r\nPage 1 of 2\n\nFor the latest protection updates, please visit the Symantec Protection Bulletin.\r\nIndicators of Compromise\r\nd11793433065633b84567de403c1989640a07c9a399dd2753aaf118891ce791c\r\n49d828087ca77abc8d3ac2e4719719ca48578b265bbb632a1a7a36560ec47f2d\r\n2c2513e17a23676495f793584d7165900130ed4e8cccf72d9d20078e27770e04\r\nSource: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-targeted-ransomware\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-targeted-ransomware\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-targeted-ransomware" ], "report_names": [ "yanluowang-targeted-ransomware" ], "threat_actors": [], "ts_created_at": 1775434939, "ts_updated_at": 1775791307, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d5f419ef2357fb5fb15511c8f3c4ff543f890b62.pdf", "text": "https://archive.orkl.eu/d5f419ef2357fb5fb15511c8f3c4ff543f890b62.txt", "img": "https://archive.orkl.eu/d5f419ef2357fb5fb15511c8f3c4ff543f890b62.jpg" } }