New Yanluowang Ransomware Found to be Code-Signed
The Yanluowang ransomware samples analyzed had only a few detections at their early stages.
Just looking at the files themselves shows very little about where or how they arrived at a user’s system.
But since the samples require certain arguments for proper execution, it appears that the most likely scenario for their execution is through remote desktop tools. We also believe that the files analyzed here are merely part of a toolkit used by operators once they have compromised their victims’ machines. From our initial analysis, the ransomware checks for the following arguments that are primarily used to specify the directory where it would do its encryption:
-h/–help
-p/-path/–path
-pass The ransomware then encrypts the files from the provided file path on the argument, appends the extension (.yanluowang), then drops the ransom note (README.txt).
Featured Resources
Subscribe to Our Blog
Subscribe now to get the latest insights, expert tips and updates on threat exposure validation.
Subscribe