Skip to content

Inside the Yanluowang Leak: Organization, Members, and Tactics

Table of Contents

"Yanluowang ransomware, also known as Dryxiphia, was first spotted in October 2021 by Symantec’s Threat Hunter Team. However, it has been operational since August 2021, when a threat actor used it to attack U.S. corporations. Said attack shared similar TTPs with ransomware Thieflock, designed by Fivehands ransomware gangs. This connection alluded to a possible link between the two through the presence or influence of an affiliate. The group has been known for successfully ransoming organisations globally, particularly those in the financial, manufacturing, IT services, consultancy, and engineering sectors. High-profile victims thus far have included Cisco and its security branch Cisco Talos, with the former’s data being published on Yanluowang’s dark web leak site last month.

Leak of Yanluowang’s chat logs

On the 31st of October, a Twitter user named @yanluowangleaks shared the matrix chat and server leaks of the Yanluowang ransomware gang, alongside the builder and decryption source. In total, six files contained internal conversations between the group’s members. From the analysis of these chats, at least eighteen people have been involved in Yanluowang operations."

Inside the Yanluowang Leak: Organization, Members, and Tactics - Darktrace Blog
YanLuoWang ransomware was first used to attack a handful of US corporations in August 2021. Since then, the group have successfully ransomed organizations across the world, with global software giant Cisco among its victims. This blog post reveals Darktrace analysts’ research into the organization’s…
Full report can be read here

#HackTheHacker #Ransomware #TTP