An unidentified entity hacked the Yanluowang ransomware group’s TOR site during the last weeks of last month. This ransomware group is notorious for deploying threat attacks against high-profile organisations like Walmart, SonicWall, and Cisco.
However, a group of researchers discovered that Yanluowang’s TOR site was hacked during the exact moment when its Twitter handle dumped its Matrix chat messages.
The researchers deployed an investigation to analyse the leaked internal messages about the Yanluowang group. The research revealed the group’s modus, victims, and possible connections to other Russia-based ransomware gangs.
According to the investigation, the group has adopted the name Yanluowang to create the impression that they are a threat group from China. However, all the communications in the leaked messages have shown that they are using the Russian language, which proves that they are a Russian-speaking organisation.
The leaked chat from the hacked Tor site contained messages from January to September this year, including about 2,700 messages.
The hacked TOR site also revealed multiple members of the Yanluowang ransomware group.
Based on reports, the hack provided some details of the essential members of the Yanluowang ransomware, especially its leader. The gang’s leader and payroll manager go by the name Saint, and the group’s lead developer is called Killanas.
In addition, the leak also revealed two pen testers named Shoker and Felix. The other members that are included in the leaked list are two coders (Nix & Coder1), a network locker (Gykko), and the seller of Yanluowang’s loaders (Matanbuchus).
Aside from all these details, the most critical information that the researchers noticed in the TOR hack is the similarity of Yanluowang and Conti’s transactions for cashing out their profit for their cybercriminal campaigns.
Both groups convert Bitcoin to Monero and Monero to cash. The group could convert the Monero into cash through local exchange offices in many large Russian cities.
The study of Yanluowang’s leaked TOR site chats shows how sophisticated and well-managed the Russian ransomware groups are. It has also revealed how quickly these groups could adapt during every development of cybersecurity defences. Lastly, the leak has described how ransomware groups aid one another to monetise their campaigns easily.
