Yanluowang
Yanluowang is a ransomware group active in 2021 and 2022 that conducted attacks against U.S. organizations and other victims. The group is described in the content as a cybercrime/ransomware crew; one mention says it is thought to be a Chinese group, while other reporting in the content says investigators determined members were likely posing as Chinese hackers and using a false Chinese persona to obscure their identities. Based on the content, the latter attribution is also directly mentioned, so the group should be treated as a criminal ransomware actor with uncertain true national affiliation. The group used initial access brokers, including Aleksei Olegovich Volkov, who helped obtain unauthorized access to victim networks between July 2021 and November 2022. After access was obtained, Yanluowang operators or affiliates deployed ransomware, encrypted victim data, disrupted business operations, and demanded cryptocurrency payments. The content also describes double-extortion behavior: stealing data, threatening to leak it on the Yanluowang data leak site, and publishing stolen data when victims refused to pay. Reported ransom demands ranged from $300,000 to $15 million. Victims included at least seven or eight U.S. companies, with sectors including banking, telecommunications, and engineering, across states including Pennsylvania, California, Michigan, Illinois, Georgia, and Ohio. Additional coercive tactics directly mentioned in the content include distributed denial-of-service attacks and harassing or threatening phone calls to victim executives after data theft. The group maintained a leak site used to pressure victims and post stolen data. Symantec first identified the group in October 2021, and one report in the content states the operation had been active since August 2021. The content also states Yanluowang disbanded in late 2022 after its leak site was hacked and thousands of internal chat messages were exposed online. The content further notes that malware used by other groups to steal credentials from Veeam backups had also been used by Yanluowang. No high-confidence aliases or sub-groups for Yanluowang are provided in the content beyond the name itself.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Where they target
Geographies tied to known operations.
- 🇺🇸 United States
Tradecraft
9 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
7 malware families attributed to this actor across reporting.
2 additional families tracked in Mallory.
Recent activity
20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Ransomware group whose attacks against U.S. companies were enabled by an initial access broker.
Ransomware group that purchased or benefited from initial access provided by Aleksei Volkov to compromise corporate networks in the United States and conduct ransomware and double-extortion attacks.
A ransomware group referenced in connection with attacks enabled by an initial access broker.
Ransomware gang involved in breaching U.S. companies and causing millions of dollars in damage.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.