Yanluowang Ransomware Broker Pleads Guilty in Landmark Case

A Russian national has admitted guilt for his role as an initial access broker in a series of Yanluowang ransomware attacks targeting multiple American businesses. Court documents reveal that Aleksey Olegovich Volkov, operating under online aliases, systematically compromised corporate networks and sold that access to the ransomware group. This criminal activity spanned from July 2021 to November 2022, impacting at least eight U.S. companies.

According to a signed plea agreement, the ransomware group then deployed its malicious software to lock victims’ data, issuing ransom demands that ranged dramatically from $300,000 to a staggering $15 million, with payment requested in Bitcoin. Federal investigators executed search warrants on a server connected to the operation, uncovering a trove of evidence. This included detailed chat logs, stolen confidential information, network credentials belonging to victims, and email accounts specifically used by Yanluowang to negotiate ransom payments.

The FBI successfully identified Volkov by tracing digital footprints back to his personal Apple iCloud account, which was linked to an email address he used. Investigators also pieced together his identity by examining his transactions on cryptocurrency exchanges and his activity on social media platforms. These accounts were tied directly to his personal phone number and Russian passport, creating a clear chain of evidence.

Chat logs recovered from the server painted a vivid picture of Volkov’s criminal negotiations. He communicated extensively with a co-conspirator identified as “CC-1,” agreeing to receive a predetermined cut of the extorted funds in exchange for providing the initial network access. Following successful attacks, Volkov collected his share from the resulting ransom payments, which totaled approximately $1.5 million from two of the victim companies.

While examining data from Volkov’s Apple account, agents discovered a particularly revealing screenshot. It showed a conversation between the defendant and an individual using the name “LockBit,” potentially indicating a connection to the infamous LockBit ransomware cartel. This detail was noted in an affidavit from FBI Special Agent Jeffrey Hunter.

The companies affected by the network breaches Volkov facilitated were spread across the United States. The list includes a Philadelphia-based firm, a national engineering company with numerous offices, a California business, a Michigan financial institution, an Illinois company, a Georgia enterprise, an Ohio telecom provider, and another business located in Eastern Pennsylvania.

Blockchain analysis confirmed that portions of the ransom payments, specifically $94,259 and $162,220 from two separate incidents, were traced to Bitcoin addresses that Volkov had provided to his accomplice in their private chats.

Volkov now confronts a potential maximum prison sentence of 53 years. The charges against him are numerous and severe, including unlawful transfer of identification, trafficking in access information, access device fraud, aggravated identity theft, and conspiracies to commit both computer fraud and money laundering. As part of his plea, he has also been ordered to pay more than $9.1 million in restitution to the companies harmed by his actions.

The Yanluowang ransomware operation first appeared on cybersecurity radars in October 2021 and is known for conducting carefully selected attacks against corporations globally. Volkov was apprehended in Italy in early 2024 and subsequently extradited to the United States. His charges followed an incident in May 2022 where Yanluowang managed to steal non-sensitive files from a Cisco employee’s cloud storage but ultimately failed to encrypt the company’s systems or secure a ransom payment.

(Source: Bleeping Computer)