The Yanluowang ransomware samples analyzed had only a few detections at their early stages.
Just looking at the files themselves shows very little about where or how they arrived at a user’s system.
But since the samples require certain arguments for proper execution, it appears that the most likely scenario for their execution is through remote desktop tools.
We also believe that the files analyzed here are merely part of a toolkit used by operators once they have compromised their victims’ machines.
From our initial analysis, the ransomware checks for the following arguments that are primarily used to specify the directory where it would do its encryption:
-h/–help
-p/-path/–path
-pass
The ransomware then encrypts the files from the provided file path on the argument, appends the extension (.yanluowang), then drops the ransom note (README.txt).