Cyber Threat Actor: Yanluowang
| Actor Type | Location | Known Incidents |
Crime Syndicate
|
Russia
|
1 incident |
|---|
Profile
The threat actor known as Yanluowang, also tracked under the alias @yanluowangleaks, is a ransomware group associated with Russia. The group operates an extortion site used to publish victim data and negotiate ransom payments. Public reporting identifies the actor primarily by these aliases and notes its Russian location. No further details about its size, structure, or sponsorship are provided in the source material.
On October 31, 2022, a message appeared on the group's extortion site announcing that its internal Matrix chat had been compromised. The message stated that approximately 2,700 messages exchanged between January and September 2022 were leaked onto a public leak site. The leaked communications were predominantly in Russian, as noted by researchers who examined the data. Jambul Tologonov, a researcher at Trellix, indicated that the goal of the analysis was to identify the group's tactics, techniques, and procedures and any collaboration with other ransomware families. The researcher's initial observation was that all conversations in the leaked chat were conducted in Russian.
Analysis of the leaked chat revealed insights into the group's operational tactics, techniques, and procedures. The data also suggested possible interactions or collaborations with other ransomware actors. Researchers were able to infer aspects of the group's organizational structure from the internal discussions. The exposure of these internal communications undermined the group's operational security. This breach potentially disrupted the gang's criminal activities by making its tradecraft visible to defenders, law enforcement, and rival threat actors.
The article mentions that Helsinki researchers contributed additional insights into the group's behavior and outlook, though the specifics are not detailed in the provided excerpt. No particular malware families, initial access vectors, or tooling styles are described in the source material concerning Yanluowang's operations. Likewise, the sources do not specify any targeted sectors, geographic regions, or strategic objectives such as financial gain, espionage, or disruption beyond the ransomware context. Consequently, the profile is limited to the confirmed facts about the group's aliases, location, the 2022 chat breach, and the analytical findings derived from that incident.
