Skip to content
Ransomware group

Yanluowang

Yanluowang is a ransomware strain/group active from at least 2021 through late 2022.

Profile source: Mallory opens in a new tab

Yanluowang

Family profile

Yanluowang is a ransomware strain/group active from at least 2021 through late 2022. The content describes it as encrypting victim files and demanding payment, typically in cryptocurrency, while also stealing data and using double-extortion tactics by threatening to publish stolen information on leak sites if victims refused to pay. Reported ransom demands ranged from $300,000 to $15 million. Victims also reported coercive pressure tactics including harassing phone calls and distributed denial-of-service attacks. The group targeted large organizations and multiple U.S. sectors, including banks, telecommunications providers, engineering firms, and other corporate networks, with victims identified across states including Pennsylvania, California, Michigan, Illinois, Georgia, and Ohio. The operation relied in part on initial access brokers, notably Aleksei Olegovich Volkov (alias chubaka.kor), who between July 2021 and November 2022 identified and exploited vulnerabilities, breached corporate networks, and sold access to Yanluowang operators for flat fees and shares of ransom proceeds. Court reporting ties Yanluowang-enabled attacks to at least seven or eight U.S. companies and to more than $9 million in actual losses and over $24 million in intended losses. The content also notes that Symantec first identified the group in October 2021, that it was operational from around August 2021, and that it disbanded in late 2022 after its leak site was hacked and internal chat messages were exposed online. Some reporting cited in the content says the group was thought to be Chinese or was posing as Chinese hackers to obscure its members’ identities.

Ransomware.live

Operational record

View group record ↗

Credential Theft

  • GrabChrome
  • GrabFF
  • KeeThief
  • Mimikatz
  • NirSoft WebBrowserPassView

Discovery Enum

  • AdFind
  • Cent Browser
  • S3 Browser
  • SoftPerfect NetScan

LOLBAS

  • NTDS Utility (ntdsutil)
  • PsExec
  • Windows Event Utility (wevtutil)

Networking

  • Chisel

Offsec

  • Cobalt Strike
  • Impacket

RMM Tools

  • LogMeIn
  • ScreenConnect
  • TeamViewer

Reported operators

Threat actors

3 named in public reporting
Yanluowang

He assisted major cybercrime groups, including the Yanluowang ransomware group, charging up to $1,000 for access to business networks, as well as a percentage of the profits.

UNC2447

Aleksei Olegovich Volkov ... served as the initial access broker for the Yanluowang ransomware group ... The victims ... said ... their data was stolen and encrypted by Yanluowang ransomware operators.

LAPSUS$

Aleksei Olegovich Volkov ... served as the initial access broker for the Yanluowang ransomware group ... The victims ... said ... their data was stolen and encrypted by Yanluowang ransomware operators.

Reporting

Research mentioning Yanluowang

Mar 25
Cyber Security News

Russian Initial Access Broker Sentenced to Prison for Enabling Major Ransomware Attacks on U.S. Firms

His illicit activities directly enabled major cybercrime syndicates, including the notorious Yanluowang ransomware group, to compromise numerous corporate networks across the United States.

Mar 25
The Record Media

Russian botnet operator linked to major ransomware attacks sentenced in US | The Record from Recorded Future News

Aleksei Volkov, who helped the Yanluowang ransomware gang breach U.S. companies, received an 81-month prison sentence for his role in attacks that caused millions of dollars in damage.

Mar 25
Bleeping Computer

Manager of botnet used in ransomware attacks gets 2 years in prison

26-year-old Russian national Aleksey Olegovich Volkov was also sentenced to nearly 7 years in prison this week after pleading guilty to acting as an initial access broker (IAB) for Yanluowang ransomware attacks.

Mar 24
Cyberscoop

Russian access broker sentenced to over 6 years in prison for ransomware schemes | CyberScoop

Volkov, also known as “chubaka.kor,” operated as an initial access broker... pleaded guilty in November 2025 to six federal charges stemming from his work with the Yanluowang ransomware group and other cybercriminal organizations between July 2021 and November 2022.

Mar 24
Security Affairs

81-month sentence for Russian hacker behind major ransomware campaigns

A U.S. court sentenced Aleksei Olegovich Volkov to 81 months in prison for supporting ransomware groups like Yanluowang.

Mar 24
Itpro

Russian sentenced to jail for his part in ransomware attacks | IT Pro

He assisted major cybercrime groups, including the Yanluowang ransomware group, charging up to $1,000 for access to business networks, as well as a percentage of the profits.

Mar 24
The Hacker News

U.S. Sentences Russian Hacker to 6.75 Years for Role in $9M Ransomware Damage

A 26-year-old Russian citizen has been sentenced in the U.S. to 6.75 years (81 months) in prison for his role in assisting major cybercrime groups, including the Yanluowang ransomware crew, in conducting numerous attacks against U.S. companies and other organizations.

Mar 24
Data Breaches

Citing HIPAA, Groups Oppose Renewed Federal Plan to Amass Millions of Workers’ Health Data - DataBreaches.Net

Initial Access Broker sentenced to 81 months in prison for enabling Yanluowang ransomware gang

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.