- Best Black Friday TV deals 2024: 75+ expert-selected deals on QLED, OLED, & more
- Shopping for your kids this Black Friday? This is the best kids' device of 2024
- Australia Passes Groundbreaking Cyber Security Law
- Cisco, NTT partner to simplify private 5G connectivity
- I gave away my Kindle and iPad within hours of testing this tablet - and it's up to $180 off
Yanluowang Ransomware’s Russian Links Laid Bare
The inner workings of yet another ransomware group have been laid bare after internal messages were leaked online, suggesting the Yanluowang group was actually run by Russian speakers.
Threat intelligence firm Trellix analyzed close to 3000 messages shared by Twitter user @yanluowangleaks, revealing some interesting tidbits.
The group, which was responsible for breaching big-name organizations over the past year including Walmart and Cisco, converses in Russian, despite its Chinese mythological moniker.
In fact, at one point it wanted to post a message in support of Ukraine on its ransom page to increase the chances of payment, but decided not to out of concerns it would blow the Chinese cover story, Trellix said.
Like Conti, another group whose chats were doxed, Yanluowang appears to have been well organized operationally.
Members include leader and payroll manager “Saint,” lead developer Killanas (aka “coder0”) and pen-testers “Felix” and “Shoker.”
A doxed image of Killanas appears to show him wearing a Russian military uniform, which would add weight to the theory that the ransomware actors have close ties to the Kremlin.
The Trellix analysis also revealed collaboration between the group and other ransomware actors, most notably HelloKitty.
A member of the latter group known as “Guki” joins the chat at some point with a view to working together, claiming to have acquired “dozens” of companies but not to have the in-house staff to launch attacks.
There are also ties to the Babuk gang which quit the ransomware game last year.
“It seems that before Yanluowang developed their own Linux/Unix ransomware locker, they used a Linux locker from Babuk ransomware gang,” Trellix explained.
“In a conversation between Saint and Guki, Saint implies that Babuk died because of the hacker Wazawaka’s (aka Boriselcin) return, and that Saint himself lost a couple of millions dollars due to Babuk locker not decrypting the files as it should.”
Interestingly, Guki appears to have been concerned about his name appearing in the Conti leaks and on US government wanted lists, indicating a possible crossover there too.
Further, in March 2022, Saint asked Killanas for his Bitcoin wallet.
“We have investigated the wallet and tracked the related transactions and managed to find a possible link to Conti ransomware BTC wallets,” Trellix concluded.
