Full Report
A Russian national will plead guilty to acting as an initial access broker (IAB) for Yanluowang ransomware attacks that targeted at least eight U.S. companies between July 2021 and November 2022. [...]
Analysis Summary
# Threat Actor: Aleksey Olegovich Volkov (Yanluowang IAB)
## Attribution & Identity
* **Identity:** A Russian national, identified as Aleksey Olegovich Volkov.
* **Known Aliases:** "chubaka.kor," "nets."
* **Associated Groups:** Acted as an Initial Access Broker (IAB) specifically for the **Yanluowang** ransomware group. Potential, though unconfirmed, link suggested via chat logs to the **LockBit** ransomware gang.
## Activity Summary
Volkov provided initial network access to the Yanluowang ransomware group, enabling attacks against at least eight U.S. companies between July 2021 and November 2022. He secured network credentials from compromised systems and sold this access, receiving a percentage of the resulting ransom payments. Two victims paid a combined total of \$1.5 million, a portion of which Volkov collected. Volkov was arrested in Italy in January 2024 and extradited to the U.S. He is scheduled to plead guilty.
## Tactics, Techniques & Procedures
* **Initial Access Brokering:** Breached corporate networks to sell access credentials.
* **Negotiation:** Utilized email (Yanluowang email accounts) for ransom negotiations with co-conspirators ("CC-1").
* **Data Exfiltration:** Successfully stole victim data, though the article implies some attacks (like Cisco's) failed to result in encryption/ransom.
* **Financial Tracking:** Mined cryptocurrency exchange records and blockchain data to track ransom proceeds.
* **TTPs (Covered Actions under charges):** Trafficking in access information, conspiracy to commit computer fraud, conspiracy to commit money laundering.
## Targeting
* **Sectors:** Various, including a bank, an engineering firm, a telecommunications provider, and general businesses.
* **Geography:** United States (targeted companies located in Pennsylvania, California, Michigan, Illinois, and Georgia).
* **Victims:** At least eight U.S. companies. Specific mention of an engineering firm with 19 U.S. offices, a Philadelphia-based company, a California company, a Michigan bank, an Illinois business, a Georgia company, and an Ohio telecommunications provider. Cisco was a targeted entity that the group failed to successfully extort.
## Tools & Infrastructure
* **Malware Families Used:** Yanluowang ransomware (deployed by the main group).
* **Infrastructure (C2, domains, IPs):**
* Email for negotiation: `alekseyvolkov4574@icloud[.]com` (Apple ID) and `qwerty4574@mail[.]ru`.
* Infrastructure was traced via FBI obtaining search warrants for a server containing chat logs and credentials.
## Implications
The successful identification and prosecution of a key Initial Access Broker highlights law enforcement's ability to dismantle cybercrime ecosystems by targeting service providers. Volkov's guilty plea to multiple serious charges, including restitution exceeding \$9.1 million, sets a precedent for disrupting the supply chain of ransomware groups like Yanluowang. The potential link to LockBit warrants further investigation into the interconnectedness of major ransomware operations.
## Mitigations
* **Credential Management:** Strict monitoring and rotation of corporate network credentials, especially given the actor specifically trafficked in stolen access information.
* **Blockchain Analysis:** Use blockchain tracing to monitor and potentially seize assets related to ransom payments (as observed by the FBI tracing the \$1.5M paid).
* **Supply Chain Security:** Organizations utilizing third-party threat intelligence (like IAB services) are vulnerable; robust monitoring of external compromise disclosure portals is necessary.