Full Report
A Russian national will plead guilty to acting as an initial access broker (IAB) for Yanluowang ransomware attacks that targeted at least eight U.S. companies between July 2021 and November 2022. [...]
Analysis Summary
# Threat Actor: Aleksey Olegovich Volkov (Yanluowang IAB)
## Attribution & Identity
* **Identity:** A Russian national, identified as Aleksey Olegovich Volkov.
* **Known Aliases:** "chubaka.kor" and "nets".
* **Associated Groups:** Acted as an Initial Access Broker (IAB) providing access to the **Yanluowang ransomware group**. Potential linkage suggested to the **LockBit** ransomware gang via chat logs found on Volkov's devices.
## Activity Summary
Volkov acted as an IAB for the Yanluowang ransomware operation, breaching corporate networks and selling access to the ransomware operators. This activity targeted at least eight U.S. companies between July 2021 and November 2022. Volkov received a percentage of the ransom payments for delivering network credentials. Two victims paid a combined total of $1.5 million in ransoms traceable partially to Volkov's accounts. Yanluowang itself was first observed in October 2021. Volkov was arrested in Italy in January 2024 and extradited to the U.S.
## Tactics, Techniques & Procedures
* **Initial Access Brokerage:** Breaching corporate networks and selling validated access/credentials to the ransomware group.
* **Ransom Negotiation:** Negotiating deal percentages with a co-conspirator ("CC-1") for access provision.
* **Financial Acquisition:** Collecting a percentage of the resulting ransom payments (e.g., $94,259 and $162,220 from two separate attacks).
* **TTPs Inferred by Context:** Deployment of ransomware, data encryption, and issuance of substantial ransom demands ($300,000 to $15 million).
## Targeting
* **Sectors:** Philadelphia-based company, engineering firm (with 19 U.S. offices), California company, Michigan bank, Illinois business, Georgia company, Ohio telecommunications provider, and a business in the Eastern District of Pennsylvania.
* **Geography:** United States (at least eight targeted companies).
* **Victims:** Specific named victims are not provided, only general organizational types and locations within the U.S.
## Tools & Infrastructure
* **Malware Families Used:** Facilitated access for the **Yanluowang** ransomware. (Potential secondary mention of **LockBit**).
* **Infrastructure (C2, domains, IPs):**
* Apple ID: alekseyvolkov4574@icloud[.]com
* Email: qwerty4574@mail[.]ru
* Data recovered from a linked server included chat logs, stolen data, and victim network credentials.
## Implications
The case highlights the critical role of Initial Access Brokers (IABs) in the ransomware ecosystem, demonstrating how specialized intermediaries facilitate major ransomware operations like Yanluowang. The willingness of IABs to negotiate percentages and the traceability of ransom payments via cryptocurrency (blockchain analysis) are key findings. The potential link to LockBit suggests overlap or collaboration between major financially motivated threat groups.
## Mitigations
* Heightened monitoring for unauthorized network access or credential leakage originating from IAB conduits.
* Strict security review of employee/corporate credentials exposed via phishing or other means, as these are monetized by actors like Volkov.
* Enhanced blockchain analysis capabilities to trace and monitor illicit cryptocurrency flows associated with ransom payments.