Full Report
A25-year-old Russian national pleaded guilty to multiple charges stemming from their participation in ransomware attacks and faces a maximum penalty up to 53 years in prison. Aleksei Olegovich Volkov, also known as “chubaka.kor,” served as the initial access broker for the Yanluowang ransomware group while living in Russia from July 2021 through November 2022, according to court records. Prosecutors accuse Volkov and unnamed co-conspirators of attacking seven U.S. businesses during that period, including two that paid a combined $1.5 million in ransoms.
Analysis Summary
# Threat Actor: Aleksei Olegovich Volkov ("chubaka.kor")
## Attribution & Identity
**Identified Individual:** Aleksei Olegovich Volkov (also identified as Aleskey Olegovich Volkov).
**Nationality:** Russian national.
**Status:** Pleaded guilty to multiple charges in the U.S. District Court for the Southern District of Indiana (arrested Jan 18, 2024, in Rome).
**Known Aliases:** “chubaka.kor”.
**Associated Groups:** Initial access broker for the **Yanluowang ransomware group**. Also linked (via reporting on Yanluowang activities) to UNC2447 and Lapsus$.
## Activity Summary
Volkov acted as an Initial Access Broker for Yanluowang, operating from Russia between July 2021 and November 2022. He was responsible for identifying targets, exploiting vulnerabilities, and providing access to co-conspirators for a fee or a percentage of the ransom paid. Prosecutors allege attacks against seven U.S. businesses during this period. Two victims paid a combined $1.5 million in ransom. The total amount demanded across all seven victims was $24 million.
## Tactics, Techniques & Procedures
- **Initial Access Brokering:** Gaining unauthorized access to victim networks and selling/sharing that access with ransomware operators.
- **System Exploitation:** Volkov exploited vulnerabilities in target systems to gain entry.
- **Data Exfiltration:** Data was stolen prior to encryption.
- **Extortion/Coercion (Secondary Tactics):** Victims reported receiving harassing phone calls after data theft and encryption.
- **Denial of Service:** Victims' networks were hit with Distributed Denial of Service (DDoS) attacks following the ransomware deployment.
- **Financial Tracking:** FBI utilized blockchain analysis to trace cryptocurrency payments related to ransoms to accounts reportedly linked to Volkov and a co-conspirator ("CC-1").
- **Plea Charges:** Pleaded guilty to unlawful transfer of a means of identification, trafficking in access information, access device fraud, aggravated identity theft, conspiracy to commit computer fraud, and conspiracy to commit money laundering.
## Targeting
- **Sectors:** Included an engineering firm and a bank (among the seven victims).
- **Geography:** Victims were reported as **U.S. businesses**.
- **Victims:** Seven U.S. businesses were attacked. Cisco was impacted by a Yanluowang attack during the timeframe that shared characteristics (IAB ties) but was not explicitly named as one of Volkov's seven victims in the court filings summary.
## Tools & Infrastructure
- **Malware Families Used:** Yanluowang ransomware (deployed by co-conspirators).
- **Infrastructure:** Used multiple accounts to communicate with co-conspirators regarding attacks, payments, and splitting illicit proceeds. Bitcoin transactions were traced.
## Implications
The successful prosecution and guilty plea of an Initial Access Broker highlights the vulnerability of organizations to third-party access compromises. IABs are a critical chokepoint in ransomware operations. Tracking the financial proceeds via cryptocurrency forensics (which helped confirm Volkov's identity) is a viable method for attribution and dismantling these criminal supply chains. Volkov faces up to 53 years in prison and must pay nearly $9.2 million in restitution.
## Mitigations
- **Strengthen Initial Access Defenses:** Focus on robust vulnerability management, timely patching, and rigorous MFA implementation, as this actor specialized in exploiting system vulnerabilities for access.
- **Monitor Access Broker Activity:** Organizations should treat compromised credentials or brokered access as a critical incident.
- **Third-Party Risk Management:** Ensure thorough security vetting of all partners involved in network access processes.
- **Incident Response Preparedness:** Be prepared for multi-faceted attack outcomes including data theft, encryption, and potential secondary harassment or DoS campaigns following initial compromise.