Yanluowang ransomware group is known for launching cyberattacks against several high-profile organizations, such as Cisco, Walmart, and SonicWall, over the past year. However, on October 31, Yanluowang’s TOR site was hacked, and at the same time, a Twitter handle @yanluowangleaks dumped Yanluowang’s Matrix chat messages.

Insides out

  • Trellix researchers analyzed thousands of leaked internal messages related to the Yanluowang group and revealed the group's inner workings, victims, and possible collaboration with other Russian ransomware groups.
  • The group chose its name to masquerade as a Chinese threat actor, however, all the communications in the leaked chats were in the Russian language, suggesting that it is actually operated by Russian speakers.
  • The leaked chat spans from mid-January to September and includes around 2,700 messages. 

Group members

Analysis of the leaked data indicates that the group operates as a well-organized enterprise, similar to Conti.
  • Its members include the leader and payroll manager Saint (aka sailormorgan32), lead developer Killanas (aka coder0), and pen-testers Felix and Shoker.
  • The other members include two coders Nix/Win32 (aka Stealer) and Coder1, Gykko (who locks victims’ networks), and Matanbuchus (seller of Yanluowang’s loaders). It further discloses conversations with Guki (a member of the HelloKitty group).
  • A handle Xander2727 doxed Killanas at Doxbin[.]com and the doxed image shows him wearing a Russian military uniform. Xander2727 claims Killanas is a network administrator at the Russian Federation Ministry of Defense, however, no evidence was found in the leaked chats.

Connections with other groups

  • Analysis revealed collaboration between the group and HelloKitty between January and mid-May. Both Saint and Guki were a part of the recent attack on Cisco and they were discussing publishing the leaked data on Yanlouwang’s data leak site.
  • It seems Yanluowang was using Babuk gang’s Linux locker before it developed its own Linux/Unix ransomware locker. Some of the chats discussed Babuk’s reason for quitting the ransomware game and Saint’s million dollars loss over Babuk’s quit.
  • Saint claimed Cypherpunk profile and PayLoadBIN ransomware to himself that was misattribution to EvilCorp by SentinelOne in February.
  • Guki was concerned that his name would appear in Conti leaks and/or in the U.S. Department of State’s wanted list, indicating a possible crossover there too.

Researchers found BTC transactions link between Conti and Yanluowang's wallets in one chain of transactions that points toward Conti and Yanluowang’s similar schemes for cashing out money: BTC > Monero > Monero > cash via local exchange offices in large cities.


The analysis of Yanluowang’s leaked internal chat sheds light on how sophisticated the Russian ransomware ecosystem is, how agile and adaptable threat actors are, and to what extent all these groups are associated with each other. It shows how ransomware groups and their affiliates are predominantly launching attacks against enterprises and monetizing their operations.
Cyware Publisher