Internal chat data from the Yanluowang ransomware group leaked online last month indicates that the members of the group are Russian speakers and not Chinese as was previously thought. The data also reveals potential links with other ransomware operations.
On October 31, a Twitter user named @yanluowangleaks shared the Matrix chat and server leaks of the Yanluowang group, alongside the builder and decryption source. In total, six files contained internal conversations between the group’s members. From the analysis of these chats, at least eighteen people have been involved in Yanluowang operations.
First spotted in October 2021, Yanluowang is a ransomware-as-a-service (RaaS) operation. Although the group is primarily focused on attacking organizations within the financial sector, they have also targeted companies in manufacturing, IT services, consultancy, and engineering. In September 2022, the gang leaked the data stolen from Cisco Systems. At the time, the gang claimed to have stolen 55GB of data from Cisco, including classified documents, technical schematics, and source code, but didn’t provide any proof.
The leaked chat logs revealed the names of core members in charge of the Yanluowang RaaS and their identities on cybercrime forums, as well as exposed tactics techniques and procedures (TTPs) of the group.
Conversations between the group’s members explored the possibilities of conducting attacks against critical infrastructure, however, one of the members stated that Yanluowang would not target the critical infrastructure of former Soviet countries. Beyond targets, the chat logs also highlighted Yanluowang’s use of the ransomware, PayloadBIN but also that attacks that involved it may potentially have been misattributed to another ransomware actor, Evil Corp.
Another interesting fact the leaked chat logs revealed that the group appears to support Ukraine based on the statement “We stand with Ukraine” on the negotiation page of Yanluowang’s website. It was also found that a former member of the Conti ransomware gang had joined Yanluowang.
After the leak Yanluowang’ data leaks site has been shut down indicating that the group stopped the operation, at least temporarily.