{
	"id": "e48b5ca4-2289-4397-b5fb-5bc69eaed4d0",
	"created_at": "2026-04-06T00:14:29.006638Z",
	"updated_at": "2026-04-10T03:21:00.113609Z",
	"deleted_at": null,
	"sha1_hash": "a6f42951864bad15bc15d5b1429b54ee91ed55f9",
	"title": "The Yanluowang ransomware group in their own words",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 103488,
	"plain_text": "The Yanluowang ransomware group in their own words\r\nBy Dina Temple-Raston\r\nPublished: 2023-01-09 · Archived: 2026-04-05 14:09:04 UTC\r\nhttps://www.youtube.com/watch?v=l3v0A3Wko1Q\r\nThe Yanluowang ransomware group finds itself the victim of a leak. Dina Temple-Raston, host of\r\nthe Click Here podcast, reports.\r\nOn Halloween, a message appeared on the Yanluowang ransomware group’s extortion site: “Check and mate!\r\nYanluowang Matrix chat hacked,” it began. “Time’s up;) you screwed!!”\r\nIt announced that the contents of one of the group’s discussion channels – some 2,700 messages sent between\r\nJanuary and September 2022 – had been breached and was now uploaded to a leak site that allowed researchers,\r\nlaw enforcement, and even competitors to understand how the group was organized, how it interacted with other\r\nransomware actors, and who might be in charge.\r\n“We wanted to dig into the internal chats and figure out what we could locate there — what their TTPs [tactics,\r\ntechniques, and procedures] tradecraft is, was there any collaboration with other ransomware families, “said\r\nJambul Tologonov, a researcher at the cybersecurity firm Trellix. “That’s what my mindset was when I started the\r\ninvestigation, and the first thing I noticed was that their conversations were all in Russian.”\r\nThe finding confirmed something researchers had long suspected: Yanluowang members were just masquerading\r\nas Chinese hackers. The name was a ruse. Cybersecurity firm Symantec first discovered the group in October\r\n2021, and it soon got a reputation: It was clearly human-run, was reasonably skilled, and it targeted Western\r\ncompanies. Two of its most infamous targets: Cisco and Walmart. \r\nChat logs are particularly popular with researchers and law enforcement because they can provide a window into\r\nthe inner workings of a cybercriminal enterprise. Members speak freely, they have their guard down, and it\r\ndoesn’t take much effort to work out who is in charge. \r\nEarlier this year, the chat logs from a Russian-speaking ransomware group named Conti were leaked, and the\r\ntrove provided all kinds of clues about how they were organized, what kinds of hacking tools they used, and the\r\nrelationships they had with other hacking groups and Russian law enforcement. In that case, there were tens of\r\nthousands of chat logs to comb through. In comparison, the Yanluowang cache is relatively small. \r\nAs soon as the leak message popped up on the group’s TOR site — which uses open-source software to conceal\r\nvisitors’ location and identities — and Tologonov could confirm it was real, he downloaded messages and began\r\ndigging in. He said he usually begins by writing a Python script to pre-process the messages to make them easier\r\nto read. Then, he puts them in chronological order so he can follow the message thread. \r\n“It allows me to get a good understanding of who’s talking with whom,” Tologonov said.\r\nhttps://therecord.media/the-yanluowang-ransomware-group-in-their-own-words/\r\nPage 1 of 4\n\nBased on the messages, it was clear someone with the name “Saint” was a high-ranking member of the group. In\r\nmid-February, Saint was telling someone named coder0 how to set up a leak page on TOR, short for The Onion\r\nRouter. “Felix is a tester,” he wrote. “I pay his salary for that.”\r\nSaint tasked another penetration tester with looking at the TOR administrator panel. “If you need to test\r\nsomething, write here to Felix,” the chat continued. Small details, to be sure, but data points that can be gathered\r\ntogether to get a sense of the group. \r\nReady Coder One\r\nTologonov gleaned other clues. Coder0, for example, seemed to be the group’s developer of a Windows-based\r\nransomware strain, and he had a team of coders under him. Another hacker named Kilanas is allegedly a member\r\nat the Russian Federation Ministry of Defense.\r\nSaint appears to have gotten around as well. Tologonov said that he tracked down some of his other aliases,\r\nincluding “sailormorgan32.” \r\n“That was a very interesting discovery because last year someone named sailormorgan32 posted on the dark web\r\nthat they’d been part of a group that hacked SonicWall,” Tologonov said, referring to last year’s attack on the\r\ncompany that makes firewalls for virtual private networks. \r\n“He claimed that they managed to get $5 million from the organization,” Tologonov said. “We don't know if the\r\nclaim is true or not, but in the conversation someone asks him [Saint], isn’t sailormorgan32 one of your monikers?\r\nAnd he says, indeed, it is mine. It's time for me to go sleep.” \r\nThe chats also provide insight into how various ransomware groups are pooling resources and working together. \r\nHello Guki. HelloKitty.\r\nThe chats also reveal links to other groups, like the infamous HelloKitty ransomware gang, which the FBI\r\nbelieves to be based in Ukraine. A hacker named Guki, who’s thought to be a HelloKitty member, appeared in the\r\nchats this May, complaining about having dozens of working credentials – usernames and passwords – but lacking\r\nthe manpower to exploit them all. \r\n“That’s why I’m reaching out to you,” the chat reads. “Maybe we can work together on further compromises.” He\r\nalso mentions that they are developing everything on their own. When Saint asked him what software his group\r\nwas using, Guki replied: “the same as before, kittens.” \r\nResearchers love to analyze these kinds of leaked chats because it allows them to observe hackers with their guard\r\ndown. What doesn’t make sense, though, given what these hackers are doing for work, is that they don’t encrypt\r\ntheir messages. You’d think that would be Hacker 101. Tologonov said that surprises him, too. \r\n“That was also an interesting thing for me,” he said. “You’d think some part of the messages would have been\r\nencrypted which would have made it hard for me as a security researcher to reconstruct all of this. I’d have trouble\r\nputting it all in context. But because it isn’t encrypted as soon as I pre-process the messages and put it in\r\nchronological order, as a Russian speaker, it is easy to read it.”\r\nhttps://therecord.media/the-yanluowang-ransomware-group-in-their-own-words/\r\nPage 2 of 4\n\nJohn Fokker, head of threat intelligence at Trellix, did a lot of research when the Conti Leaks came out earlier this\r\nyear. He thinks the Yanluowang leaks came from a private server the group set up to speak among themselves and\r\nhe believes they fell prey to a common problem: they trusted the technology.\r\n“When people start trusting technology and they trust the encryption to give them safety, they will let their guard\r\ndown and you get these interesting chats,” he said. “As a researcher from the sidelines, I’m always very eager to\r\nreceive these chats because it really ties the Russian cybercriminal ecoclimate together. You can see how\r\nYanluowang is tied to other organizations.”\r\nFokker said he and his researchers had always had a gut feeling that these ransomware groups weren’t huge – that\r\nthere was a hardcore group that does this and they know about each other. “And it’s very interesting to read things\r\n[just as] they read our research — they look at other busts, and they watch other crime groups. It gives us a lot of\r\ninsight.”\r\nThe question is always whether these leaks provide so much insight the groups end up having to disband. In the\r\ncase of Yanluowang, its site disappeared soon after the chat logs went public. Tologonov said the group probably\r\nwon’t vanish, they will just get absorbed into other ransomware crews and keep doing what they’ve been doing.\r\n“The group is not that big,” he said. “So even if they discontinue Yanluowang, their skills and their tools will be\r\nthere, and they will probably just join other ransomware groups. This won’t be the end of them.” \r\nSean Powers and Will Jarvis contributed reporting to this story.\r\nhttps://therecord.media/the-yanluowang-ransomware-group-in-their-own-words/\r\nPage 3 of 4\n\nDina Temple-Raston\r\nis the Host and Managing Editor of the Click Here podcast as well as a senior correspondent at Recorded Future\r\nNews. She previously served on NPR’s Investigations team focusing on breaking news stories and national\r\nsecurity, technology, and social justice and hosted and created the award-winning Audible Podcast “What Were\r\nYou Thinking.”\r\nSource: https://therecord.media/the-yanluowang-ransomware-group-in-their-own-words/\r\nhttps://therecord.media/the-yanluowang-ransomware-group-in-their-own-words/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://therecord.media/the-yanluowang-ransomware-group-in-their-own-words/"
	],
	"report_names": [
		"the-yanluowang-ransomware-group-in-their-own-words"
	],
	"threat_actors": [],
	"ts_created_at": 1775434469,
	"ts_updated_at": 1775791260,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a6f42951864bad15bc15d5b1429b54ee91ed55f9.pdf",
		"text": "https://archive.orkl.eu/a6f42951864bad15bc15d5b1429b54ee91ed55f9.txt",
		"img": "https://archive.orkl.eu/a6f42951864bad15bc15d5b1429b54ee91ed55f9.jpg"
	}
}