Yanluowang Ransomware's Russian Links Laid Bare

Written by

The inner workings of yet another ransomware group have been laid bare after internal messages were leaked online, suggesting the Yanluowang group was actually run by Russian speakers.

Threat intelligence firm Trellix analyzed close to 3000 messages shared by Twitter user @yanluowangleaks, revealing some interesting tidbits.

The group, which was responsible for breaching big-name organizations over the past year including Walmart and Cisco, converses in Russian, despite its Chinese mythological moniker.

In fact, at one point it wanted to post a message in support of Ukraine on its ransom page to increase the chances of payment, but decided not to out of concerns it would blow the Chinese cover story, Trellix said.

Like Conti, another group whose chats were doxed, Yanluowang appears to have been well organized operationally.

Members include leader and payroll manager “Saint,” lead developer Killanas (aka "coder0") and pen-testers “Felix” and “Shoker.”

A doxed image of Killanas appears to show him wearing a Russian military uniform, which would add weight to the theory that the ransomware actors have close ties to the Kremlin.

The Trellix analysis also revealed collaboration between the group and other ransomware actors, most notably HelloKitty.

A member of the latter group known as “Guki” joins the chat at some point with a view to working together, claiming to have acquired “dozens” of companies but not to have the in-house staff to launch attacks.

There are also ties to the Babuk gang which quit the ransomware game last year.

“It seems that before Yanluowang developed their own Linux/Unix ransomware locker, they used a Linux locker from Babuk ransomware gang,” Trellix explained.

“In a conversation between Saint and Guki, Saint implies that Babuk died because of the hacker Wazawaka’s (aka Boriselcin) return, and that Saint himself lost a couple of millions dollars due to Babuk locker not decrypting the files as it should.”

Interestingly, Guki appears to have been concerned about his name appearing in the Conti leaks and on US government wanted lists, indicating a possible crossover there too.

Further, in March 2022, Saint asked Killanas for his Bitcoin wallet.

“We have investigated the wallet and tracked the related transactions and managed to find a possible link to Conti ransomware BTC wallets,” Trellix concluded.

What’s hot on Infosecurity Magazine?