Kaspersky warns PH a potential target of Yanluowang ransomware gang

The Philippines could be a potential target of the Yanluowang ransomware gang, which has managed to attack large companies from countries like Brazil, Germany, China, and the US, warns cybersecurity firm Kaspersky.

Kaspersky’s warning, released on August 12, comes amid networking giant Cisco’s recent confirmation that it suffered a security breach in May. The Yanluowang gang claimed responsibility, publishing online a partial list of files it claims were stolen from Cisco’s networks. Cisco, however, said that it’s already working with law enforcement on the matter, noting that sensitive information was not stolen and its operations were not impacted.

Kaspersky believes the threat actor in question is relatively new to the scene, but has connections to UNC2447 and Lapsus$. The former is a ransomware gang with ties to Russia, while the latter is an extortion gang that made headlines this year, targeting the likes of Microsoft, Samsung, and Ubisoft.

The Cisco breach apparently isn’t the first time this year that Yanluowang struck. The gang targeted Walmart sometime between May and June, claiming to have encrypted tens of thousands of the retail giant’s computers. Walmart has denied the claims, saying they were inaccurate.

Being a ransomware gang, Yanluowang uses malware to infiltrate networks, stealing data or controlling access, which serves as its leverage for its demands. But in Cisco’s case, the threat actor reportedly conducted several elaborate phishing attacks to compromise an employee’s credentials. This allowed Yanluowang to use Cisco VPN, which then gave it access to internal data. No malicious payloads were detected during the attack.

Phishing is another method of attack, wherein the threat actor poses a legitimate institution, sending texts or emails to the potential victim that asks them to share their sensitive information.

Yanis Zinchenko, a security expert at Kaspersky, analyzed Yanluowang’s malware in April and said it isn’t perfect.

“The vulnerability discovered in the code allowed us to create a file decryptor with the help of a known-plaintext attack,” he said in a statement, adding the firm’s Rannoh Decryptor tool can help victims recover their data.

Zinchenko stresses that victims shouldn’t pay ransoms as it would only encourage the threat actors to continue their attacks. There’s also no guarantee that after payment, the data would be handed back. The best option is to follow basic security principles and minimize the chances of an attack.

As of writing, there has yet to be a reported Yanluowang attack in the Philippines. – Rappler.com