Walmart Denies Being Hit by Yanluowang Ransomware Attack
American retailer Walmart has denied being hit with a ransomware attack by the Yanluowang gang after the hackers claimed to encrypt thousands of computers.
In a statement to BleepingComputer, Walmart has said that their “Information Security team is monitoring our systems 24/7,” and believe the claims to be inaccurate.
“We believe this claim is inaccurate and are not aware of a successful attack in this regard on our devices,” a Walmart spokesperson told BleepingComputer.
On Monday, the relatively new Yanluowang ransomware operation published an entry to their data leak site claiming that they breached the retailer and encrypted between 40,000 and 50,000 devices.
“We encrypted about 40-50k walmart computers and offered our help, but they decided to go the other way and here we publish,” reads the data leak site.
The ransomware gang further told BleepingComputer that they claimed to have conducted the attack over a month ago and were able to encrypt devices but not steal any data. As part of this attack they say they demanded a $55 million ransom but never received a response from Walmart.
The entry on the data leak site includes various files that allege to contain information extracted during the attack from Walmart’s Windows domain.
While Walmart denies an attack was successful, these files contain information that claims to be from Walmart’s internal network, including a security certificate, a list of domain users, and the output of a kerberoasting attack.
Kerberoasting is used by threat actors after they gain a foothold on a network to extract Windows services accounts and their hashed NTLM passwords. These hashed passwords are then brute-forced to extract the plain-text passwords, which are used to elevate privileges on the Windows domain.
BleepingComputer has not been able to confirm if the leaked Windows domain data is legitimate and has emailed further questions to Walmart.