Yanluowang ransomware leak analysis by Trellix

Updated on 2022-11-23

Trellix investigated around 3,000 leaked internal messages, belonging to the Yanluowang ransomware, and discovered that the group was run by Russian-speaking hackers, despite the Chinese moniker. Read more: Yanluowang Ransomware’s Russian Links Laid Bare

Updated on 2022-11-22: Yanluowang leak analysis

Trellix researchers have published a deep dive into the leak of internal chats from the Yanluowang ransomware gang, which we covered earlier this month. Analysis of more than 2,7k messages reveals ties between members of the Yanluowang gang and members of other ransomware operations such as Babuk, Conti, and HelloKitty. Read more: Yanluowang Ransomware Leaks Analysis: Organization, Collaboration with HelloKitty, Babuk and Conti

Updated on 2022-11-09: Yanluowang leak

Darktrace has an in-depth technical analysis of the Yanluowang leak. Read more: Inside the Yanluowang leak: Organization, members, and tactics

Updated on 2022-11-07

An internal data leak forced the Yanluowang ransomware group to shut down its data leak site. An anonymous Twitter account had leaked the source code and other vital information. Read more: Yanluowang ransomware gang goes dark after leaks

Overview: Internal chats for Yanluowang ransomware gang leaked; reveal members are Russian, not Chinese

The internal chat logs of the Yanluowang ransomware gang were leaked online on Halloween, revealing the group’s core members, details about how they build their code, and how they deal with victims.

But more than anything, the leak reveals that despite their name and repeated claims that the gang consists of Chinese nationals, all internal chats are in “some of the most perfect Russian”—as one threat intel analyst described it on Tuesday.

The leak appears to be the aftermath of a serious hack. Not only did the intruder gain control over the gang’s internal Matrix chat server, but they also compromised Yanluowang’s dark web “leak site.”

They used the leak site—which is heavily monitored by law enforcement and infosec firms—to announce the hack, posting a new blog post on Monday with links to their Telegram and Twitch accounts, where links to the leaked chat logs had been posted.

The leaked chat logs reveal several things. The first is the names of core members in charge of the Yanluowang RaaS and their identities on cybercrime forums.

The second is that the Yanluowang ransomware gang began operations in October 2021, which is around the same time Broadcom’s Symantec first reported on their activities.

Third is that the gang and its members are really bad at coding, which now explains why Kaspersky researchers were able to find a vulnerability in its encryption algorithm and release a free decrypter back in April. And if that wasn’t bad enough, the leaker also shared a screenshot allegedly containing the ransomware’s decryption routine source code.

At the time of this newsletter, there are several theories about who the leaker is, ranging from the classics: “disgruntled former member” to “a security researcher gone rogue.” The wildest theory is that the leaker is Cisco’s security team, acting as payback for Yanluowang breaching its network and attempting to extort the company earlier this year.

Nevertheless, as it happened to the Conti Leaks earlier this year, this leak effectively means the end of the Yanluowang operation, as no one in the cybercrime underground would be willing to work with the group after they’ve been so thoroughly hacked. OpSec is extremely important for cybercrime operators, and nobody will sign up for a RaaS that may be crawling with spooks and infosec teams on its servers.