Skip to Content

Yanluowang ransomware leak analysis by Trellix

Updated on 2022-11-23

Trellix investigated around 3,000 leaked internal messages, belonging to the Yanluowang ransomware, and discovered that the group was run by Russian-speaking hackers, despite the Chinese moniker. Read more: Yanluowang Ransomware’s Russian Links Laid Bare

Updated on 2022-11-22: Yanluowang leak analysis

Trellix researchers have published a deep dive into the leak of internal chats from the Yanluowang ransomware gang, which we covered earlier this month. Analysis of more than 2,7k messages reveals ties between members of the Yanluowang gang and members of other ransomware operations such as Babuk, Conti, and HelloKitty. Read more: Yanluowang Ransomware Leaks Analysis: Organization, Collaboration with HelloKitty, Babuk and Conti

Yanluowang leak analysis

Updated on 2022-11-09: Yanluowang leak

Darktrace has an in-depth technical analysis of the Yanluowang leak. Read more: Inside the Yanluowang leak: Organization, members, and tactics

Updated on 2022-11-07

An internal data leak forced the Yanluowang ransomware group to shut down its data leak site. An anonymous Twitter account had leaked the source code and other vital information. Read more: Yanluowang ransomware gang goes dark after leaks

Overview: Internal chats for Yanluowang ransomware gang leaked; reveal members are Russian, not Chinese

The internal chat logs of the Yanluowang ransomware gang were leaked online on Halloween, revealing the group’s core members, details about how they build their code, and how they deal with victims.

Internal chats for Yanluowang ransomware gang leaked; reveal members are Russian, not Chinese

But more than anything, the leak reveals that despite their name and repeated claims that the gang consists of Chinese nationals, all internal chats are in “some of the most perfect Russian”—as one threat intel analyst described it on Tuesday.

The leak appears to be the aftermath of a serious hack. Not only did the intruder gain control over the gang’s internal Matrix chat server, but they also compromised Yanluowang’s dark web “leak site.”

They used the leak site—which is heavily monitored by law enforcement and infosec firms—to announce the hack, posting a new blog post on Monday with links to their Telegram and Twitch accounts, where links to the leaked chat logs had been posted.

The leaked chat logs reveal several things. The first is the names of core members in charge of the Yanluowang RaaS and their identities on cybercrime forums.

The second is that the Yanluowang ransomware gang began operations in October 2021, which is around the same time Broadcom’s Symantec first reported on their activities.

Third is that the gang and its members are really bad at coding, which now explains why Kaspersky researchers were able to find a vulnerability in its encryption algorithm and release a free decrypter back in April. And if that wasn’t bad enough, the leaker also shared a screenshot allegedly containing the ransomware’s decryption routine source code.

At the time of this newsletter, there are several theories about who the leaker is, ranging from the classics: “disgruntled former member” to “a security researcher gone rogue.” The wildest theory is that the leaker is Cisco’s security team, acting as payback for Yanluowang breaching its network and attempting to extort the company earlier this year.

Nevertheless, as it happened to the Conti Leaks earlier this year, this leak effectively means the end of the Yanluowang operation, as no one in the cybercrime underground would be willing to work with the group after they’ve been so thoroughly hacked. OpSec is extremely important for cybercrime operators, and nobody will sign up for a RaaS that may be crawling with spooks and infosec teams on its servers.

Alex Lim is a certified IT Technical Support Architect with over 15 years of experience in designing, implementing, and troubleshooting complex IT systems and networks. He has worked for leading IT companies, such as Microsoft, IBM, and Cisco, providing technical support and solutions to clients across various industries and sectors. Alex has a bachelor’s degree in computer science from the National University of Singapore and a master’s degree in information security from the Massachusetts Institute of Technology. He is also the author of several best-selling books on IT technical support, such as The IT Technical Support Handbook and Troubleshooting IT Systems and Networks. Alex lives in Bandar, Johore, Malaysia with his wife and two chilrdren. You can reach him at [email protected] or follow him on Website | Twitter | Facebook

    Ads Blocker Image Powered by Code Help Pro

    Your Support Matters...

    We run an independent site that is committed to delivering valuable content, but it comes with its challenges. Many of our readers use ad blockers, causing our advertising revenue to decline. Unlike some websites, we have not implemented paywalls to restrict access. Your support can make a significant difference. If you find this website useful and choose to support us, it would greatly secure our future. We appreciate your help. If you are currently using an ad blocker, please consider disabling it for our site. Thank you for your understanding and support.