Yanluowang
Yanluowang is a ransomware strain/group active from at least 2021 through late 2022. The content describes it as encrypting victim files and demanding payment, typically in cryptocurrency, while also stealing data and using double-extortion tactics by threatening to publish stolen information on leak sites if victims refused to pay. Reported ransom demands ranged from $300,000 to $15 million. Victims also reported coercive pressure tactics including harassing phone calls and distributed denial-of-service attacks. The group targeted large organizations and multiple U.S. sectors, including banks, telecommunications providers, engineering firms, and other corporate networks, with victims identified across states including Pennsylvania, California, Michigan, Illinois, Georgia, and Ohio. The operation relied in part on initial access brokers, notably Aleksei Olegovich Volkov (alias chubaka.kor), who between July 2021 and November 2022 identified and exploited vulnerabilities, breached corporate networks, and sold access to Yanluowang operators for flat fees and shares of ransom proceeds. Court reporting ties Yanluowang-enabled attacks to at least seven or eight U.S. companies and to more than $9 million in actual losses and over $24 million in intended losses. The content also notes that Symantec first identified the group in October 2021, that it was operational from around August 2021, and that it disbanded in late 2022 after its leak site was hacked and internal chat messages were exposed online. Some reporting cited in the content says the group was thought to be Chinese or was posing as Chinese hackers to obscure its members’ identities.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
He assisted major cybercrime groups, including the Yanluowang ransomware group, charging up to $1,000 for access to business networks, as well as a percentage of the profits.
Aleksei Olegovich Volkov ... served as the initial access broker for the Yanluowang ransomware group ... The victims ... said ... their data was stolen and encrypted by Yanluowang ransomware operators.
Aleksei Olegovich Volkov ... served as the initial access broker for the Yanluowang ransomware group ... The victims ... said ... their data was stolen and encrypted by Yanluowang ransomware operators.
Recent activity
21 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Ransomware used by affiliates who purchased initial access to compromise corporate networks, encrypt sensitive business data, and conduct double-extortion by threatening to leak stolen data.
Ransomware used in attacks for which Volkov acted as an initial access broker.
Ransomware used by a criminal gang to breach companies and cause significant financial damage.
Ransomware used by a criminal group that conducted data theft, file encryption, leak-site extortion, harassing phone calls, and distributed denial of service attacks to pressure victims into paying.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.