Yanluowang ransomware gang’s inner workings uncovered

The Yanluowang ransomware operation has only been pretending to be of Chinese origin, according to The Record, a news site by cybersecurity firm Recorded Future.

Trellix researchers examined leaked messages from the ransomware group’s discussion channel and discovered communications from “Saint,” also known as “sailormorgan32,” who is believed to be a ranking member of the operation, “coder0,” who seemed to be behind a Windows-based ransomware strain, and “Kilanas,” who is allegedly a Russian Federation Ministry of Defense member.

Suspected Ukraine-based HelloKitty ransomware gang has also been mentioned in the chats, with suspected member Guki complaining in the chats regarding inadequate manpower to exploit dozens of working credentials.

“When people start trusting technology and they trust the encryption to give them safety, they will let their guard down and you get these interesting chats. As a researcher from the sidelines, I’m always very eager to receive these chats because it really ties the Russian cybercriminal ecoclimate together. You can see how Yanluowang is tied to other organizations,” said Trellix Head of Threat Intelligence John Fokker.