Yanluowang ransomware leaks suggest pseudo Chinese persona, REvil links
It's the second major ransomware organisation to have been rocked this year after internal chat logs were leaked by anonymous hackers


Chat data from the Yanluowang ransomware organisation has been leaked online revealing a fake Chinese persona and potential links with other ransomware organisations.
Yanluowang is named after the Chinese and Buddhist mythological figure Yanluo Wang but chat data revealed those involved in the organisation spoke in Russian.
RELATED RESOURCE
In February 2022, the most prominent member of the group who operates using the alias ‘Saint’ also responded in a discussion related to arrests of former REvil members saying five of the individuals in a linked news report were “former classmates”.
REvil is still in operation but its dominance of the ransomware landscape ended in 2021 following a coordinated international law enforcement operation to arrest many of its core members.
It’s believed the remaining lower-level cyber criminals either stayed with the organisation or moved on to work for more lucrative rivals.
The leaked messages did not explicitly tie Saint to the REvil gang nor does it reveal any more about the relationship between Saint and the arrested REvil members.
Many additional messages using the Russian language were leaked and more active aliases were also named, including ‘Killanas’ which was the second most-active user in the organisation behind Saint.
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
Killanas is believed to have had a role in handling code assignments, according to KELA’s analysis, which also identified ‘Felix’ as a tester and ‘Stealer’ as another organisation member.
Chat logs between Felix and Stealer appeared to indicate that an ESXi version of Yanluowang ransomware was under development - an approach VMware recently branded “a devastating threat”.
A conversation between Saint and Killanas also hinted at the group's use of Nyx ransomware, KELA said.
Also included in the leak were what the leaker claimed to be source code snippets from both the ransomware locker program's builder and decryption process but the authenticity of these has yet to be verified.
The security community has never confidently or publicly identified the location of the hackers behind the Yanluowang ransomware operation to be either Russia or China and using a false persona to evade attribution is an uncommon tactic.
Publication of the stolen files came as security researchers noticed Yanluowang’s leak blog was defaced on Monday to show the gang itself had been hacked. The hacker left the message “Time’s up!” along with links to download the stolen chat files.
Yanluowang was previously known for successfully conducting ransomware attacks on high-profile organisations such as Cisco and its security arm Cisco Talos. The data from the former was made public last month.
The ransomware group also becomes the second major organisation to have its internal chat data leaked this year.
Russia-linked Conti dominated the ransomware landscape for much of 2021 and the start of 2022 until a Ukrainian cyber security researcher leaked a trove of chat logs and later its source code that led to the group’s demise.
The incident was dubbed “the Panama Papers of ransomware” and was thought to have been a politically motivated attack following Conti’s public support of Russia in its invasion of Ukraine.
Conti and its affiliates were able to conduct a small number of other high-profile attacks before it shut down for good in June 2022.

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.
-
How to implement a four-day week in tech
In-depth More companies are switching to a four-day week as they look to balance employee well-being with productivity
-
Intelligence sharing: The boost for businesses
In-depth Intelligence sharing with peers is essential if critical sectors are to be protected
-
Hackers breached a 158 year old company by guessing an employee password – experts say it’s a ‘pertinent reminder’ of the devastating impact of cyber crime
News A Panorama documentary exposed hackers' techniques and talked to the teams trying to tackle them
-
The ransomware boom shows no signs of letting up – and these groups are causing the most chaos
News Thousands of ransomware cases have already been posted on the dark web this year
-
Everything we know about the Ingram Micro cyber attack so far
News A cyber attack on Ingram Micro severely disrupted operations and has been claimed by the SafePay ransomware group.
-
A prolific ransomware group says it’s shutting down and giving out free decryption keys to victims – but cyber experts warn it's not exactly a 'gesture of goodwill'
News The Hunters International ransomware group is rebranding and switching tactics
-
Swiss government data published following supply chain attack – here’s what we know about the culprits
News Radix, a non-profit organization in the health promotion sector, supplies a number of federal offices, whose data has apparently been accessed.
-
Ransomware victims are getting better at haggling with hackers
News While nearly half of companies paid a ransom to get their data back last year, victims are taking an increasingly hard line with hackers to strike fair deals.
-
LockBit data dump reveals a treasure trove of intel on the notorious hacker group
News An analysis of May's SQL database dump shows how much LockBit was really making
-
‘I take pleasure in thinking I can rid society of at least some of them’: A cyber vigilante is dumping information on notorious ransomware criminals – and security experts say police will be keeping close tabs
News An anonymous whistleblower has released large amounts of data allegedly linked to the ransomware gangs