{"id":44373,"date":"2021-12-10T00:00:00","date_gmt":"2021-12-10T00:00:00","guid":{"rendered":"urn:uuid:c59d8450-c5ba-923e-e9ef-aaa68cc0f435"},"modified":"2021-12-10T00:00:00","modified_gmt":"2021-12-10T00:00:00","slug":"new-yanluowang-ransomware-found-to-be-code-signed-terminates-database-related-processes","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/new-yanluowang-ransomware-found-to-be-code-signed-terminates-database-related-processes\/","title":{"rendered":"New Yanluowang Ransomware Found to be Code-Signed, Terminates Database-Related Processes"},"content":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/l\/new-yanluowang-ransomware-found-to-be-code-signed-terminates-database-related-processes\/yanluowang-banner.jpg\"><!-- Begin mPulse library --><!-- END mPulse library --> <head> <meta charset=\"UTF-8\"> <meta name=\"viewport\" content=\"width=device-width\"> <meta name=\"description\" content=\"We analyzed new samples of the Yanluowang ransomware. One interesting aspect of these samples is that the files are code-signed. They also terminate various processes which are related to database and backup management. \"> <meta name=\"robots\" content=\"index,follow\"> <meta name=\"keywords\" content=\"articles, news, reports,ransomware,research\"> <meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge,chrome=1\"> <meta name=\"template\" content=\"article1withouthero\"> <meta property=\"article:published_time\" content=\"2021-12-10\"> <meta property=\"article:tag\" content=\"ransomware\"> <meta property=\"article:section\" content=\"research\"> <link rel=\"icon\" type=\"image\/ico\" href=\"\/content\/dam\/trendmicro\/favicon.ico\"> <link rel=\"canonical\" href=\"https:\/\/www.trendmicro.com\/en_us\/research\/21\/l\/yanluowang-ransomware-code-signed-terminates-database-processes.html\"> <title>New Yanluowang Ransomware Found to be Code-Signed, Terminates Database-Related Processes<\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/21\/l\/yanluowang-ransomware-code-signed-terminates-database-processes.html\"><br \/>\n<meta property=\"og:title\" content=\"New Yanluowang Ransomware Found to be Code-Signed, Terminates Database-Related Processes\"><br \/>\n<meta property=\"og:description\" content=\"We analyzed new samples of the Yanluowang ransomware. One interesting aspect of these samples is that the files are code-signed. They also terminate various processes which are related to database and backup management. \"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/l\/new-yanluowang-ransomware-found-to-be-code-signed-terminates-database-related-processes\/yanluowang-banner.jpg\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"New Yanluowang Ransomware Found to be Code-Signed, Terminates Database-Related Processes\"><br \/>\n<meta name=\"twitter:description\" content=\"We analyzed new samples of the Yanluowang ransomware. One interesting aspect of these samples is that the files are code-signed. They also terminate various processes which are related to database and backup management. \"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/l\/new-yanluowang-ransomware-found-to-be-code-signed-terminates-database-related-processes\/yanluowang-banner.jpg\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"49.860375805788\"> <!-- Page Scroll: Back to Top --> <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a> <!-- \/* Data Layer *\/ --> <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"1232893442\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"8.3106435643564\">\n<div class=\"article-details\" role=\"heading\" readability=\"36.175742574257\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__display-tag\">Ransomware<\/p>\n<p class=\"article-details__description\">We analyzed new samples of the Yanluowang ransomware. One interesting aspect of these samples is that the files are code-signed. They also terminate various processes which are related to database and backup management. <\/p>\n<p class=\"article-details__author-by\">By: Don Ovid Ladores <time class=\"article-details__date\">December 10, 2021<\/time> <span>Read time:&nbsp;<\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-md-8 col-md-push-2\"> <\/p>\n<div class=\"richText\" readability=\"41.601818181818\">\n<div readability=\"30.603636363636\">\n<p>We analyzed new samples of the Yanluowang <a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/definition\/ransomware\">ransomware<\/a>, a <a href=\"https:\/\/symantec-enterprise-blogs.security.com\/blogs\/threat-intelligence\/yanluowang-ransomware-attacks-continue\" target=\"_blank\" rel=\"noopener\">recently discovered<\/a> ransomware family. One interesting aspect of these samples is that the files are code-signed using a valid digital signature, which was either stolen or fraudulently signed. They also terminate various processes including Veeam and SQL, which are related to database and backup management.<\/p>\n<p>After being uncovered <a href=\"https:\/\/symantec-enterprise-blogs.security.com\/blogs\/threat-intelligence\/yanluowang-targeted-ransomware\" target=\"_blank\" rel=\"noopener\">a few weeks ago<\/a>, the Yanluowang ransomware (named after the Chinese deity Yanluo Wang) has since been associated with campaigns, and its operators are said to launch <a href=\"https:\/\/symantec-enterprise-blogs.security.com\/blogs\/threat-intelligence\/yanluowang-ransomware-attacks-continue\" target=\"_blank\" rel=\"noopener\">targeted attacks<\/a> on US corporations since at least August this year.<\/p>\n<h2><span class=\"body-subhead-title\">Yanluowang ransomware initial analysis<\/span><\/h2>\n<p>The Yanluowang ransomware samples we analyzed still have only a few detections as of this writing. Just looking at the files themselves shows very little about where or how they arrived at a user\u2019s system. But since the samples require certain arguments for proper execution, it appears that the most likely scenario for their execution is through remote desktop tools.<\/p>\n<p>We also believe that the files analyzed here are merely part of a toolkit used by operators once they have compromised their victims\u2019 machines.<\/p>\n<p>From our initial analysis, the ransomware checks for the following arguments that are primarily used to specify the directory where it would do its encryption:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">-h\/&#8211;help&nbsp;<\/span><\/li>\n<li><span class=\"rte-red-bullet\">-p\/-path\/&#8211;path&nbsp;<\/span><\/li>\n<li><span class=\"rte-red-bullet\">-pass<\/span><\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/l\/new-yanluowang-ransomware-found-to-be-code-signed-terminates-database-related-processes\/Fig-1-Checking-for-arguments-path.PNG\" alt=\"Figure 1. Checking for arguments (path)\"><figcaption>Figure 1. Checking for arguments (path)<\/figcaption><\/figure>\n<\/p><\/div>\n<div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/l\/new-yanluowang-ransomware-found-to-be-code-signed-terminates-database-related-processes\/Fig-2-Checking-for-arguments-pass.PNG\" alt=\"Figure 2. Checking for arguments (pass)\"><figcaption>Figure 2. Checking for arguments (pass)<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<p>The ransomware then encrypts the files from the provided file path on the argument, appends the extension (.yanluowang), then drops the ransom note (README.txt).<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/l\/new-yanluowang-ransomware-found-to-be-code-signed-terminates-database-related-processes\/Fig-3-Yanluowang-ransomware-appended-files.PNG\" alt=\"Figure 3. Yanluowang ransomware appended files\"><figcaption>Figure 3. Yanluowang ransomware appended files<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/l\/new-yanluowang-ransomware-found-to-be-code-signed-terminates-database-related-processes\/Fig-4-YanLuoWang-ransomnote(README.txt).PNG\" alt=\"Figure 4. YanLuoWang ransomnote (README.txt)\"><figcaption>Figure 4. YanLuoWang ransomnote (README.txt)<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34.161676646707\">\n<div readability=\"14.640718562874\">\n<h2><span class=\"body-subhead-title\">Digital signature, other features also found<\/span><\/h2>\n<p>It is important to highlight that the samples obtained are code-signed with a digital signature \u2014 and a valid one on that note, during the time of the analysis. The question remains whether this signature was stolen from a company or fraudulently signed.<\/p>\n<p><a href=\"https:\/\/www.trendmicro.com\/en\/research\/18\/d\/understanding-code-signing-abuse-in-malware-campaigns.html\">Code signing<\/a> is performed to validate the authenticity of a piece of software; thus, code-signed malware can appear legitimate and non-malicious, allowing it to bypass certain security measures.&nbsp;<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/l\/new-yanluowang-ransomware-found-to-be-code-signed-terminates-database-related-processes\/Fig-5-Digital-signature-found-with-Yanluowang-ransomware-samples.PNG\" alt=\"Figure 5. Digital signature found with Yanluowang ransomware samples\"><figcaption>Figure 5. Digital signature found with Yanluowang ransomware samples<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"35\">\n<div readability=\"15\">\n<p>Upon execution, the ransomware also terminates the following processes, which are related to managing databases and backups, through Windows API:<\/p>\n<p>The termination of database-related processes could potentially lead to loss of access to backup files, which then places additional pressure on ransomware victims to pay up to retrieve their files.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/l\/new-yanluowang-ransomware-found-to-be-code-signed-terminates-database-related-processes\/Fig-6-Terminating-processes.PNG\" alt=\"Figures 6. Terminating processes\"> <\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/l\/new-yanluowang-ransomware-found-to-be-code-signed-terminates-database-related-processes\/Fig-7-Terminating-processes.PNG\" alt=\"Figure 7. Terminating processes\"><figcaption>Figures 6-7. Terminating processes<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"35.5\">\n<div readability=\"16\">\n<p>The ransomware also attempts to terminate a few more processes through the command prompt if they match the following strings:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">mysql*<\/span><\/li>\n<li><span class=\"rte-red-bullet\">dsa*<\/span><\/li>\n<li><span class=\"rte-red-bullet\">veeam*<\/span><\/li>\n<li><span class=\"rte-red-bullet\">chrome*<\/span><\/li>\n<li><span class=\"rte-red-bullet\">iexplore*<\/span><\/li>\n<li><span class=\"rte-red-bullet\">firefox*<\/span><\/li>\n<li><span class=\"rte-red-bullet\">outlook*<\/span><\/li>\n<li><span class=\"rte-red-bullet\">excel*<\/span><\/li>\n<li><span class=\"rte-red-bullet\">taskmgr*<\/span><\/li>\n<li><span class=\"rte-red-bullet\">tasklist*<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Ntrtscan*<\/span><\/li>\n<li><span class=\"rte-red-bullet\">ds_monitor*<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Notifier*<\/span><\/li>\n<li><span class=\"rte-red-bullet\">putty*<\/span><\/li>\n<li><span class=\"rte-red-bullet\">ssh*<\/span><\/li>\n<li><span class=\"rte-red-bullet\">TmListen*<\/span><\/li>\n<li><span class=\"rte-red-bullet\">iVPAgent*<\/span><\/li>\n<li><span class=\"rte-red-bullet\">CNTAoSMgr*<\/span><\/li>\n<li><span class=\"rte-red-bullet\">IBM*<\/span><\/li>\n<li><span class=\"rte-red-bullet\">bes10*<\/span><\/li>\n<li><span class=\"rte-red-bullet\">black*<\/span><\/li>\n<li><span class=\"rte-red-bullet\">robo*<\/span><\/li>\n<li><span class=\"rte-red-bullet\">copy*<\/span><\/li>\n<li><span class=\"rte-red-bullet\">sql<\/span><\/li>\n<li><span class=\"rte-red-bullet\">store.exe<\/span><\/li>\n<li><span class=\"rte-red-bullet\">sql*<\/span><\/li>\n<li><span class=\"rte-red-bullet\">vee*<\/span><\/li>\n<li><span class=\"rte-red-bullet\">wrsa*<\/span><\/li>\n<li><span class=\"rte-red-bullet\">wrsa.exe<\/span><\/li>\n<li><span class=\"rte-red-bullet\">postg*<\/span><\/li>\n<li><span class=\"rte-red-bullet\">sage*<\/span><\/li>\n<\/ul>\n<p>Aside from processes, the malware will also forcefully stop (through net stop command line) the following services:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">MSSQLServerADHelper100<\/span><\/li>\n<li><span class=\"rte-red-bullet\">MSSQL$ISARS<\/span><\/li>\n<li><span class=\"rte-red-bullet\">MSSQL$MSFW<\/span><\/li>\n<li><span class=\"rte-red-bullet\">SQLAgent$ISARS<\/span><\/li>\n<li><span class=\"rte-red-bullet\">SQLAgent$MSFW<\/span><\/li>\n<li><span class=\"rte-red-bullet\">SQLBrowser<\/span><\/li>\n<li><span class=\"rte-red-bullet\">ReportServer$ISARS<\/span><\/li>\n<li><span class=\"rte-red-bullet\">SQLWriter<\/span><\/li>\n<li><span class=\"rte-red-bullet\">WinDefend<\/span><\/li>\n<li><span class=\"rte-red-bullet\">mr2kserv<\/span><\/li>\n<li><span class=\"rte-red-bullet\">MSExchangeADTopology<\/span><\/li>\n<li><span class=\"rte-red-bullet\">MSExchangeFBA<\/span><\/li>\n<li><span class=\"rte-red-bullet\">MSExchangeIS<\/span><\/li>\n<li><span class=\"rte-red-bullet\">MSExchangeSA<\/span><\/li>\n<li><span class=\"rte-red-bullet\">ShadowProtectSvc<\/span><\/li>\n<li><span class=\"rte-red-bullet\">SPAdminV4<\/span><\/li>\n<li><span class=\"rte-red-bullet\">SPTimerV4<\/span><\/li>\n<li><span class=\"rte-red-bullet\">SPTraceV4<\/span><\/li>\n<li><span class=\"rte-red-bullet\">SPUserCodeV4<\/span><\/li>\n<li><span class=\"rte-red-bullet\">SPWriterV4<\/span><\/li>\n<li><span class=\"rte-red-bullet\">SPSearch4<\/span><\/li>\n<li><span class=\"rte-red-bullet\">IISADMIN<\/span><\/li>\n<li><span class=\"rte-red-bullet\">firebirdguardiandefaultinstance<\/span><\/li>\n<li><span class=\"rte-red-bullet\">ibmiasrw<\/span><\/li>\n<li><span class=\"rte-red-bullet\">QBCFMonitorService<\/span><\/li>\n<li><span class=\"rte-red-bullet\">QBVSS<\/span><\/li>\n<li><span class=\"rte-red-bullet\">QBPOSDBServiceV12<\/span><\/li>\n<li><span class=\"rte-red-bullet\">\\&#8221;IBM Domino Server (CProgramFilesIBMDominodata)\\&#8221;<\/span><\/li>\n<li><span class=\"rte-red-bullet\">\\&#8221;IBM Domino Diagnostics (CProgramFilesIBMDomino)\\&#8221;<\/span><\/li>\n<li><span class=\"rte-red-bullet\">\\&#8221;Simply Accounting Database Connection Manager\\&#8221;<\/span><\/li>\n<li><span class=\"rte-red-bullet\">QuickBooksDB1<\/span><\/li>\n<li><span class=\"rte-red-bullet\">QuickBooksDB2<\/span><\/li>\n<li><span class=\"rte-red-bullet\">QuickBooksDB3<\/span><\/li>\n<li><span class=\"rte-red-bullet\">QuickBooksDB4<\/span><\/li>\n<li><span class=\"rte-red-bullet\">QuickBooksDB5<\/span><\/li>\n<li><span class=\"rte-red-bullet\">QuickBooksDB6<\/span><\/li>\n<li><span class=\"rte-red-bullet\">QuickBooksDB7<\/span><\/li>\n<li><span class=\"rte-red-bullet\">QuickBooksDB8<\/span><\/li>\n<li><span class=\"rte-red-bullet\">QuickBooksDB9<\/span><\/li>\n<li><span class=\"rte-red-bullet\">QuickBooksDB10<\/span><\/li>\n<li><span class=\"rte-red-bullet\">QuickBooksDB11<\/span><\/li>\n<li><span class=\"rte-red-bullet\">QuickBooksDB12<\/span><\/li>\n<li><span class=\"rte-red-bullet\">QuickBooksDB13<\/span><\/li>\n<li><span class=\"rte-red-bullet\">QuickBooksDB14<\/span><\/li>\n<li><span class=\"rte-red-bullet\">QuickBooksDB15<\/span><\/li>\n<li><span class=\"rte-red-bullet\">QuickBooksDB16<\/span><\/li>\n<li><span class=\"rte-red-bullet\">QuickBooksDB17<\/span><\/li>\n<li><span class=\"rte-red-bullet\">QuickBooksDB18<\/span><\/li>\n<li><span class=\"rte-red-bullet\">QuickBooksDB19<\/span><\/li>\n<li><span class=\"rte-red-bullet\">QuickBooksDB20<\/span><\/li>\n<li><span class=\"rte-red-bullet\">QuickBooksDB21<\/span><\/li>\n<li><span class=\"rte-red-bullet\">QuickBooksDB22<\/span><\/li>\n<li><span class=\"rte-red-bullet\">QuickBooksDB23<\/span><\/li>\n<li><span class=\"rte-red-bullet\">QuickBooksDB24<\/span><\/li>\n<li><span class=\"rte-red-bullet\">QuickBooksDB25<\/span><\/li>\n<\/ul>\n<p>Lastly, it will forcefully terminate running virtual machines (VMs) through the following command line:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\"><\/span>powershell -command \\&#8221;Get-VM | Stop-VM -Force\\&#8221;<\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/l\/new-yanluowang-ransomware-found-to-be-code-signed-terminates-database-related-processes\/Fig-8-Terminating-services.PNG\" alt=\"Figure 8. Terminating services\"><figcaption>Figure 8. Terminating services<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"42.8015625\">\n<div readability=\"34.42734375\">\n<p>We will continue to monitor events related to the Yanluowang ransomware and share any updates.<\/p>\n<h2><span class=\"body-subhead-title\">Strengthening defenses against ransomware<\/span><\/h2>\n<p>As new ransomware families continue to emerge, we foresee in our <a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/research-and-analysis\/predictions\/2022\">2022 security predictions report<\/a> that ransomware operators will use more modern and sophisticated methods of extortion. Moving forward, enterprises must then take extra caution in applying preventive measures.<\/p>\n<p>It would also help enterprises to establish frameworks that would help them with ransomware defense. Here are some of the best practices that they can include in their frameworks:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Audit and take inventory<b> <\/b>of assets and data, authorized and unauthorized devices and software, and logs of events and incidents.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Configure and monitor<b> <\/b>hardware and software configurations, and only grant admin privileges and access when absolutely necessary to an employee\u2019s role.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Patch and update for operating systems and applications, perform regular vulnerability assessments, and conduct patching or virtual patching for operating systems and applications.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Protect and recover essential information and files by<b> <\/b>enforcing stringent data protection, backup, and recovery measures.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Perform security skills assessment and training regularly and conduct red-team exercises and penetration tests.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Secure and defend systems by employing the latest version of security solutions to all layers of the system, including email, endpoint, web, and network.<\/span><\/li>\n<\/ul>\n<p><a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/services\/managed-xdr.html\">Trend Micro Vision One\u2122<\/a>&nbsp;offers multilayered protection and behavior detection, allowing for the detection of and blocking ransomware early on before it can do any real damage to the system. This is done by identifying questionable behavior that might otherwise seem benign when viewed from only a single layer.<\/p>\n<p><a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/campaigns\/cloud-one-services.html\">Trend Micro Cloud One\u2122 \u2013 Workload Security<\/a>&nbsp;defends systems against both known and unknown threats that exploit vulnerabilities through techniques such as virtual patching and machine learning. It also leverages the latest in global threat intelligence to provide timely, real-time protection.<\/p>\n<p><a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/user-protection\/sps.html\">Trend Micro\u2122 Deep Discovery\u2122 Email Inspector<\/a>&nbsp;employs custom sandboxing and advanced analysis techniques to effectively block ransomware before it gets into the system, blocking phishing emails that can be used by ransomware as entry points.<\/p>\n<p><a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/technologies\/control-manager.html\">Trend Micro Apex One\u2122<\/a>&nbsp;provides a closer inspection of endpoints through next-level automated threat detection and response against advanced concerns such as fileless threats and ransomware.<\/p>\n<h2><span class=\"body-subhead-title\">Indicators of Compromise (IoCs)<\/span><\/h2>\n<p>View the full list of IOCs <a href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/l\/new-yanluowang-ransomware-found-to-be-code-signed-terminates-database-related-processes\/New-Yanluowang-Ransomware-Family-Found-to-be-Code-Signed-Terminates-Database-Related-Processes.txt\">here<\/a>.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p> <!-- \/* Core functionality javascripts, absolute URL to leverage Akamai CDN *\/ --> <!--For Modal-start--> <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p> <!--For Modal-end--> <!-- Go to www.addthis.com\/dashboard to customize your tools --> <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/21\/l\/yanluowang-ransomware-code-signed-terminates-database-processes.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>We analyzed new samples of the Yanluowang ransomware. One interesting aspect of these samples is that the files are code-signed. They also terminate various processes which are related to database and backup management. Read More HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":44374,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9539,9509],"class_list":["post-44373","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-ransomware","tag-trend-micro-research-research"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.6 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>New Yanluowang Ransomware Found to be Code-Signed, Terminates Database-Related Processes 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/new-yanluowang-ransomware-found-to-be-code-signed-terminates-database-related-processes\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"New Yanluowang Ransomware Found to be Code-Signed, Terminates Database-Related Processes 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/new-yanluowang-ransomware-found-to-be-code-signed-terminates-database-related-processes\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2021-12-10T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/l\/new-yanluowang-ransomware-found-to-be-code-signed-terminates-database-related-processes\/yanluowang-banner.jpg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/new-yanluowang-ransomware-found-to-be-code-signed-terminates-database-related-processes\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/new-yanluowang-ransomware-found-to-be-code-signed-terminates-database-related-processes\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"New Yanluowang Ransomware Found to be Code-Signed, Terminates Database-Related Processes\",\"datePublished\":\"2021-12-10T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/new-yanluowang-ransomware-found-to-be-code-signed-terminates-database-related-processes\\\/\"},\"wordCount\":1009,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/new-yanluowang-ransomware-found-to-be-code-signed-terminates-database-related-processes\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/12\\\/new-yanluowang-ransomware-found-to-be-code-signed-terminates-database-related-processes.png\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Ransomware\",\"Trend Micro Research : Research\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/new-yanluowang-ransomware-found-to-be-code-signed-terminates-database-related-processes\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/new-yanluowang-ransomware-found-to-be-code-signed-terminates-database-related-processes\\\/\",\"name\":\"New Yanluowang Ransomware Found to be Code-Signed, Terminates Database-Related Processes 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/new-yanluowang-ransomware-found-to-be-code-signed-terminates-database-related-processes\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/new-yanluowang-ransomware-found-to-be-code-signed-terminates-database-related-processes\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/12\\\/new-yanluowang-ransomware-found-to-be-code-signed-terminates-database-related-processes.png\",\"datePublished\":\"2021-12-10T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/new-yanluowang-ransomware-found-to-be-code-signed-terminates-database-related-processes\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/new-yanluowang-ransomware-found-to-be-code-signed-terminates-database-related-processes\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/new-yanluowang-ransomware-found-to-be-code-signed-terminates-database-related-processes\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/12\\\/new-yanluowang-ransomware-found-to-be-code-signed-terminates-database-related-processes.png\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/12\\\/new-yanluowang-ransomware-found-to-be-code-signed-terminates-database-related-processes.png\",\"width\":667,\"height\":55},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/new-yanluowang-ransomware-found-to-be-code-signed-terminates-database-related-processes\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-articles-news-reports\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"New Yanluowang Ransomware Found to be Code-Signed, Terminates Database-Related Processes\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"New Yanluowang Ransomware Found to be Code-Signed, Terminates Database-Related Processes 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/new-yanluowang-ransomware-found-to-be-code-signed-terminates-database-related-processes\/","og_locale":"en_US","og_type":"article","og_title":"New Yanluowang Ransomware Found to be Code-Signed, Terminates Database-Related Processes 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/new-yanluowang-ransomware-found-to-be-code-signed-terminates-database-related-processes\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2021-12-10T00:00:00+00:00","og_image":[{"url":"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/l\/new-yanluowang-ransomware-found-to-be-code-signed-terminates-database-related-processes\/yanluowang-banner.jpg","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/new-yanluowang-ransomware-found-to-be-code-signed-terminates-database-related-processes\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/new-yanluowang-ransomware-found-to-be-code-signed-terminates-database-related-processes\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"New Yanluowang Ransomware Found to be Code-Signed, Terminates Database-Related Processes","datePublished":"2021-12-10T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/new-yanluowang-ransomware-found-to-be-code-signed-terminates-database-related-processes\/"},"wordCount":1009,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/new-yanluowang-ransomware-found-to-be-code-signed-terminates-database-related-processes\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/12\/new-yanluowang-ransomware-found-to-be-code-signed-terminates-database-related-processes.png","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Ransomware","Trend Micro Research : Research"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/new-yanluowang-ransomware-found-to-be-code-signed-terminates-database-related-processes\/","url":"https:\/\/www.threatshub.org\/blog\/new-yanluowang-ransomware-found-to-be-code-signed-terminates-database-related-processes\/","name":"New Yanluowang Ransomware Found to be Code-Signed, Terminates Database-Related Processes 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/new-yanluowang-ransomware-found-to-be-code-signed-terminates-database-related-processes\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/new-yanluowang-ransomware-found-to-be-code-signed-terminates-database-related-processes\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/12\/new-yanluowang-ransomware-found-to-be-code-signed-terminates-database-related-processes.png","datePublished":"2021-12-10T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/new-yanluowang-ransomware-found-to-be-code-signed-terminates-database-related-processes\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/new-yanluowang-ransomware-found-to-be-code-signed-terminates-database-related-processes\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/new-yanluowang-ransomware-found-to-be-code-signed-terminates-database-related-processes\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/12\/new-yanluowang-ransomware-found-to-be-code-signed-terminates-database-related-processes.png","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/12\/new-yanluowang-ransomware-found-to-be-code-signed-terminates-database-related-processes.png","width":667,"height":55},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/new-yanluowang-ransomware-found-to-be-code-signed-terminates-database-related-processes\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"New Yanluowang Ransomware Found to be Code-Signed, Terminates Database-Related Processes"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/44373","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=44373"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/44373\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/44374"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=44373"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=44373"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=44373"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}