Trellix logo
Trellix CEO
Our CEO on Living Security

Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.

Gartner Marketplace Guide (XDR)
Gartner® Report: Market Guide for XDR

As per Gartner, "XDR is an emerging technology that can offer improved threat prevention, detection and response."

Trellix Launches Advanced Threat Research Center
Trellix Launches Advanced Research Center

Trellix announced the establishment of the Trellix Advanced Research Center to advance global threat intelligence.

The Threat Report - Summer 2022
Latest Report

Our Summer 2022 threat report details the evolution of Russian cybercrime, research into medical devices and access control systems, and includes analysis of email security trends.

Trellix CEO
Our CEO on Living Security

Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.

Stories

The latest cybersecurity trends, best practices,
security vulnerabilities, and more

Yanluowang Ransomware Leaks Analysis: Organization, Collaboration with HelloKitty, Babuk and Conti

Introduction

On October 31, 2022, Yanluowang’s TOR site was hacked displaying a message “check and mate!! Yanluowang Matrix chat hacked @yanluowangleaks Time’s up!! :) you screwed!! Time’s up!”:

Figure 1 - Yanluowang's hacked onion site
Figure 1 - Yanluowang's hacked onion site

On the same day a Twitter handle @yanluowangleaks shared dumps of Yanluowang’s Matrix chat messages. We immediately downloaded the internal chat logs and began our investigation.

The name “Yanluowang” comes from Chinese mythology (Yanluo Wang is a Chinese deity), suggesting the ransomware gang is potentially of Chinese origin. However, all the communications in the leaked chats were in Russian language and it appears that the name was chosen deliberately to masquerade as a Chinese threat actor.

The ransomware group was first discovered by Symantec back in October 2021. Yanluowang has been used in human-operated, highly targeted attacks predominantly against Western enterprises such as Cisco, Walmart and others.

The recently leaked Yanluowang messages span from mid-January to September 2022 and include around 2.7K messages. However, from this relatively small dataset we have gained a valuable intel on Yanluowang threat actor, their innerworkings, victims and possible collaboration with other Russian ransomware groups. Further details are provided in the below sections.

Interesting chats

Gang’s organization

Based on internal chat messages, Saint seems to be the “boss” of the Yanluowang ransomware group and oversees payroll. In mid-February 2022 while instructing Killanas (aka coder0) on their new TOR infrastructure requirements and its design, he mentioned Felix is a tester, I pay his salary for that”:

Figure 2 Saint giving TOR infrastructure requirements to Killanas
Figure 2 Saint giving TOR infrastructure requirements to Killanas

In a conversation with a pentester, Shoker, whom Saint tasked with testing their TOR admin panel, he advises “If you need to test something write here to Felix, coder of Win locker is coder0, (coder of) Nix/Win32 is Stealer.”

Coder0/Killanas seems to be the developer of a Windows ransomware locker and he has a team of coders. Coder1 is the second developer of his (Killanas’s) team” says Stealer to the boss Saint. A potential identity of Killanas, who calls himself in the leaked chats ‘an InfoSec specialist’, was doxed at Doxbin[.]com by a handle Xander2727 as a “Lead developer of Yanluowang ransomware”:

Figure 3 Doxed info on possible real identity of Killanas
Figure 3 Doxed info on possible real identity of Killanas

According to Xander2727, this individual is a network administrator at Russian Federation Ministry of Defense. If one looks carefully at the doxed image in Figure 3, you can spot an emblem resembling the logo of Russian Ground Forces on the collar of a supposed military uniform.

The intelligence on the potential real identity of Killanas is not found in the Yanluowang leaked chats, therefore we cannot validate Xander2727’s claim nor have details on how they got to the person's identity.

Leader Saint appears to be behind the “sailormorgan32” moniker who in February 2021 claimed to hack SonicWall and receive 5 million USD from them:

Figure 4 Sailormorgan32's post in darkweb on stolen SonicWall data
Figure 4 Sailormorgan32's post in darkweb on stolen SonicWall data

Figure 5 Killanas saying that Saint is sailormorgan32
Figure 5 Killanas saying that Saint is sailormorgan32

It appears Yanluowang hacked SonicWall itself in January 2021 prior to Conti trying to acquire SonicWall VPN appliance in March 2021 and exploit it:

Figure 6 Saint on SonicWall being hacked by them before Conti tried to exploit SonicWall appliance
Figure 6 Saint on SonicWall being hacked by them before Conti tried to exploit SonicWall appliance

In mid-May 2022, Stealer, who is himself a developer of *Nix/Win32 Yanluowang locker, advises Guki (a new joiner of Yanluowang Matrix chat) they also have Gykko who locks victims’ networks and Matanbuchus who is the seller of Yanluowang’s loaders:

Figure 7 Stealer updating Guki on other team members of his
Figure 7 Stealer updating Guki on other team members of his

Possible collaboration with other ransomware families

Yanluowang-HelloKitty

First hints of Yanluowang-HelloKitty collaboration date end of January 2022 when Saint shares a link to an XSS post where Yanluowang source code was posted with Killanas. While examining the leaked source code, Saint initially doubts if it is indeed Yanluowang’s code as “in HelloKitty a piece of code with 'taskkill /f /im *' was also used, as well as a 'pass' on execution.” However, after a careful analysis, they conclude that indeed that is the source code of Yanluowang as it adds an extension “.yanluowang” to the encrypted files. Later, Saint tells to Killanas via his connections with the administration he managed to have the related XSS post removed:

Figure 8 Saint discussing leaked Yanluowang's source code with Killanas
Figure 8 Saint discussing leaked Yanluowang's source code with Killanas

Guki who joined Yanluowang Matrix room chat in mid-May 2022 seems to be behind HelloKitty ransomware. In conversation with Saint, Guki mentions he’s got working credentials for at least dozens of companies, however there are only two of them on his team, and he is afraid they will not manage on their own to follow up on all those companies. Guki advises they have developed everything of their own, from bot to locker: the guy he works with is the developer and he himself does the ‘pwning’ (compromising the networks). When Saint asked him what software they use, Guki replied “the same as before, kittens”:

Figure 9 Guki mentions HelloKitty is his locker
Figure 9 Guki mentions HelloKitty is his locker

It appears that both threat actors were involved in Cisco compromise as later in September 2022 Saint advised Guki that their data was published on Yanlouwang’s data leak site:

Figure 10 Yanluowang-HelloKitty discussing the attack on Cisco
Figure 10 Yanluowang-HelloKitty discussing the attack on Cisco

Yanluowang-Babuk

It seems that before Yanluowang developed their own Linux/Unix ransomware locker, they used a Linux locker from Babuk ransomware gang. In the below conversation between Saint and Guki, Saint implies that Babuk died because of the hacker Wazawaka’s (aka Boriselcin) return, and that Saint himself lost a couple of millions dollars due to Babuk locker not decrypting the files as it should:

Figure 11 Saint on using Babuk's *Nix locker
Figure 11 Saint on using Babuk's *Nix locker

Moreover, in February 2022, while discussing SentinelOne’s article on the evolution of the Evil Corp gang, where SentinelLabs attributed PayLoadBIN ransomware and a new, possibly experimental variant of it, dubbed Cypherpunk to EvilCorp, Saint mentioned that Cypherpunk is his profile name on Exploit forum and there was an effort to recruit hackers in forum where they used PayLoadBIN, and he is wondering why this activity was attributed to Evil Corp group:

Figure 12 Saint asking why a campaign with PayloadBIN and Cypherpunk was attributed to Evil Corp
Figure 12 Saint asking why a campaign with PayloadBIN and Cypherpunk was attributed to Evil Corp

In April-May 2021 Babuk gang quit ransomware encryption and decided to focus on data-theft extortion. They renamed their data leak site to Payload[.]bin and one of the first leaks published on their site was a source code of a game Cyberpunk 2077, allegedly stolen by HelloKitty ransomware group. Having the similarities in naming, PayloadBIN < - > Payload[.]bin and Cypherpunk < - > Cyberpunk 2077, it is probable that Babuk/HelloKitty/Yanluowang gangs were behind this cluster of activity, and it potentially was misattributed to Evil Corp.

Yanluowang-Conti

It is interesting that Guki from HelloKitty ransomware was afraid that his name/moniker will appear in Conti-leaks and/or in the U.S. Department of State’s reward on Conti group members:

Figure 13 Guki being concerned his name/nick will appear in Conti leaks
Figure 13 Guki being concerned his name/nick will appear in Conti leaks

This indeed reinforces the hypothesis of Conti-HelloKitty ransomware groups being affiliated.

Furthermore, in March 2022, when Saint asked Killanas for his Bitcoin wallet, he gave the following BTC address: bc1q8svd69626nauxh2gvvyp8tndet8fntfph4jnz4. We have investigated the wallet and tracked the related transactions and managed to find a possible link to Conti ransomware BTC wallets:

Figure 14 BTC transactions linking Conti and Yanluowang's wallets in one chain of transactions
Figure 14 BTC transactions linking Conti and Yanluowang's wallets in one chain of transactions

As can be seen from Figure 14, in the beginning of 2022 Conti received 1 BTC out of 21.6 BTC from the wallet bc1qc65fsde7zcl8p4vmm3p839przd9h3k5p4ng39l, and 10 days after Killanas received 1.2 BTC to his wallet from the remaining 20.6 BTC. When it comes to cashing out, the Conti and Yanluowang gangs seem to have similar schemes: BTC > Monero > Monero > cash via local exchange offices in large cities. Below is the excerpt of chat extracted from Conti-leaks in comparison with the chat logs from Yanluowang-leaks:

Figure 15 Conti-Trickbot members discussing their cashout scheme
Figure 15 Conti-Trickbot members discussing their cashout scheme

Figure 16 Felix (Yanluowang’s tester) explaining how they exchange BTC to cash
Figure 16 Felix (Yanluowang’s tester) explaining how they exchange BTC to cash

However, we also have observed some differences in Yanluowang’s money laundering scheme in comparison to Conti’s. Killanas seems to exchange BTC to QR codes via LockBit:

Figure 17 Killanas advising he exchanges BTC to QR codes through LockBit
Figure 17 Killanas advising he exchanges BTC to QR codes through LockBit

It is unclear from the leaked chats how Yanluowang members collaborate with the LockBit ransomware group. It is possible that LockBit provides cryptocurrency exchange services to certain cybercriminals where BTC can be cashed out via their QR codes.

Chinese of Ukrainian Origin

What’s interesting is that at some point Yanluowang wanted to place a Ukrainian flag and write “We stand with Ukraine” on their negotiation site to increase their chances of ransom being paid, however they were concerned it would blow up their Chinese actor cover story, so they decided to drop the idea:

Figure 18 Saint and Killanas discussing an option of pretending to be Chinese of Ukrainian origin
Figure 18 Saint and Killanas discussing an option of pretending to be Chinese of Ukrainian origin

Kaspersky’s Yanluowang decryptor

In April 2022 Kaspersky researchers found a vulnerability in Yanluowang’s encryption algorithm and created a free decryptor tool to help victims to recovery their files. According to Yanluowang boss Saint, this was “literally like a knife in the back” and made things difficult for Yanluowang. Nonetheless, within the first five months of 2022 Yanluowang ransomware managed to get one million (currency unknown) through use of their ransomware:

Figure 19 Saint on Kaspersky's Yanluowang decryptor tool
Figure 19 Saint on Kaspersky's Yanluowang decryptor tool

Conclusion

The analysis of Yanluowang internal chat messages provided us valuable insights on who is behind the ransomware group and what are their affiliates. It was fascinating to read their internal communications and find answers to attack’s which took place in the last two years.

This is the second largest internal chat leak from a Russian ransomware group following the leaks from Conti. The intelligence acquired from such data is extremely important as it sheds a light on how sophisticated Russian ransomware ecosystem is, how agile and adaptable threat actors are, and to what extend all these cybercriminal groups are linked to each other.

This document and the information contained herein describes computer security research for educational purposes only and the convenience of Trellix customers. Trellix conducts research in accordance with its Vulnerability Reasonable Disclosure Policy. Any attempt to recreate part or all of the activities described is solely at the user’s risk, and neither Trellix nor its affiliates will bear any responsibility or liability.

Featured Content

Get the latest

We’re no strangers to cybersecurity. But we are a new company.
Stay up to date as we evolve.

Please enter a valid email address.

Zero spam. Unsubscribe at any time.