Unraveling the Yanluowang Ransomware Group from Chat Leaks

Category: Ransomware News | Industry: N/A | Level: Strategic | Source: ITPro

Chats logs between Yanluowang ransomware members provided a glimpse into the ransomware group's interworking's. No technical or attack details have been uncovered, the KELA security team has analyzed the leaked chat logs between coders and tests under the aliases 'saint,' 'killanas,' 'stealer,' and 'felix,' which have also been used in various cybercrime forums the members have been active in since 2020-2022. The conversations are dated between January 2022, to September written in the Russian language despite the group being named after a Chinese mythological figure. Members of the group are likely comprised of a diverse group of cybercriminals with the potential to be comprised of former REvil members. References were made to REvil ransomware gang by the operative using the handle 'Saint' referring to members of the group as “former classmates.” An ESXi version of Yanluowang ransomware appears to be under active development from the group, which can cause a significant impact on infrastructure reliant on VMware ESXi technology. The Yanluowang ransomware data leak site was also discovered to have been defaced on Monday, October 31st, 2022. This leak whilst not as severe as leaks from the Conti ransomware group, marks the second data leak from a ransomware group in 2022.

‍