Insights from the Yanluowang Ransomware Chat Leaks
Insights from the Yanluowang Ransomware Chat Leaks
Category: Ransomware News | Industry: Global | Level: Strategic | Source: Trellix
Chat logs from the Yanluowang ransomware gang were leaked on October 31st, 2022, researchers from Trellix analyzed the logs containing approximately 2,700 messages dated between January 2022 to September 2022. These logs provided insights into the ransomware group's activities who have been active since at least October 2021. The group has targeted Western organizations, with their most notable hacks being against Cisco, SonicWall, and Walmart. Despite the name 'Yanluowang' which is based on a Chinese deity, the operators are identified to only be masquerading as Chinese threat actors, since several messages are communicated in the Russian language. In comparison to the Conti leaks, which revealed a treasure trove of information regarding the group's tactics, techniques, and procedures (TTPs), the Yanluowang chat leak doesn't reveal much on the technical side of their operations. The chat logs do, however, suggest collaboration between various ransomware families including HelloKitty, Babuk, and Conti. Members from the various ransomware groups have discussed government attention against them and communication related to their ransomware's source code. One specific chat member under the alias 'Guki' was particularly concerned about the Conti leaks, identifying his real name. Yanluowang members have communicated they aren't short on compromised credentials to exploit organizations however; they lack the manpower to carry out the attacks. From the chat logs,"Guki mentions he’s got working credentials for at least dozens of companies, however there are only two of them on his team, and he is afraid they will not manage on their own to follow up on all those companies." The present state of the Yanluowang ransomware group is unknown as the group's data leak site has gone down since the leaks were published. Members of the group could lay low for a while, or likely continue to operate within other ransomware groups.
.svg)
