In Chinese mythology, Yanluo Wang is the god of death overseeing the "Ten Kings of Hell." Having a name of Chinese origin, one would assume that the Yanluowang ransomware originates from China. However, in late October of 2022, the chat logs from the Yanluowang operators were leaked, revealing the true origin of the malware was from Russian-speaking individuals intentionally masquerading as Chinese operators to throw off analysts. Thus, the ransomware is assumed to be of Russian origin. Yanluowang is ransomware that is typically dropped via BazarLoader directly from a remote connection after the attackers have infiltrated a network. Operators are known to use AdFind to gather information from Active Directory, NetScan to identify IPv4 capable devices, and information stealing tools such as GrabFF, GrabFile, GrabChrome, OpenChromeDumps, and BrowserPassView. This strategic approach indicates that the ransomware is Human-Operated Ransomware (HumOR). It was first seen in late 2021, and Kaspersky was able to create a decryptor due to a defect in the encryption process.
Samples (SHA-256)(6)
Known Victims(7)
Industry Sector | Pays | Extortion Date | Amount (USD) |
---|---|---|---|
Real Estate & Housing | United States | ||
Real Estate & Housing | United States | ||
Manufacturing | United States | ||
Distribution & Logistics | Germany | ||
Retail & Wholesale | United States | ||
Telecommunications | United States | ||
Information Technology | United States |