Cyber criminals are distributing a new form of ransomware in attacks against victims in which they not only encrypt the network, but also make threats to launch distributed denial of service (DDoS) attacks and to harass employees and business partners if a ransom isn’t paid.
Dubbed Yanluowang, the ransomware was uncovered by cybersecurity researchers in Broadcom Software’s Symantec Threat Hunter team while they were investigating as attempted cyberattack against an undisclosed large organsation.
While the attempted attack wasn’t successful, the investigation revealed a new form of ransomware. It also provided insight into how some cyber criminals are attempting to make attacks more effective – in this case, with the threat of additional attacks.
SEE: A winning strategy for cybersecurity (ZDNet special report)
Yanluowang drops a ransom note telling the victim they’ve been infected with ransomware, telling them to message a contact address to negotiate a ransom payment. The note warns victims not to contact the police, FBI or authorities, and not to contact a cybersecurity company – it’s implied that if the victim does this, they won’t get their data back.
But the cyber criminals behind Yanluowang go even further with their threats, suggesting that if the victim calls in outside help, they’ll launch DDoS attacks against the victim – overflowing their websites with so much traffic they’ll crash – and they’ll make calls to employees and business partners. They also suggest that if the victim isn’t cooperative, they’ll return with additional attacks or even delete the encrypted data so it’s lost forever.
“It’s difficult to say if this is a genuine threat. However, it’s certainly in line with what we’re seeing from other ransomware actors who seem to feel threatened by victims calling in law enforcement or sharing information with third parties,” Dick O’Brien, principal editor at Symantec, told ZDNet.
It’s still unclear how the cyber criminals gained access to the network, but researchers uncovered the attack after identifying suspicious use of AdFind, a legitimate command line in the Active Directory query tool.
This tool is often abused by ransomware attackers and is used as a reconnaissance technique for exploiting Active Directory and finding additional ways to secretly move around the network, with the ultimate goal of deploying ransomware.
In this case, the attackers attempted to deploy ransomware just days after the suspicious activity was identified – and ultimately the attempted ransomware attack was prevented because the tell-tale signs of an attack had been recognised and blocked.
Nonetheless, the emergence of yet another new ransomware group, particularly one making additional threats in order to coerce victims into paying ransoms, is an unwelcome development.
SEE: BYOD security warning: You can’t do everything securely with just personal devices
The ransomware appears to be a work in progress, so it could become more effective in future. However, there are steps that organisations can take to protect their businesses from this threat and other forms of ransomware.
“Broadly speaking, they should adopt a defense in depth strategy, using multiple detection, protection, and hardening technologies to mitigate risk at each point of the potential attack chain,” said O’Brien.
“Only allow RDP [Remote Desktop Protocol] from specific known IP addresses. We’d also advise implementing proper audit and control of administrative account usage,” he added.
Other actions organisations can take to help protect against ransomware and other cyberattacks include applying security patches as soon as possible, so cyber criminals can’t exploit known vulnerabilities to access the network. Organisations should also equip users with multi-factor authentication tools, so it’s more difficult for cyber criminals to take advantage of breached usernames and passwords.
MORE ON CYBERSECURITY
For all the latest Technology News Click Here
For the latest news and updates, follow us on Google News.