Threat intelligence firm Trellix has stated that the Yanluowang ransomware group is actually run by Russian speakers after the company was able to gain access to internal messages leaked online. The internal messages expose the inner workings of the ransomware group, Trellix says. The intelligence firm analyzed over 3,000 messages share on Twitter by a leak account and found that the messages reveal some interesting information. Yanluowang is known for breaching organizations such as Cisco and Walmart. Despite its Chinese mythological moniker, Trellix has stated that the group actually converses in Russian.
At one point, the messages reveal that the group wanted to post a message in support of Ukraine to its ransom page, thinking it may increase the chances of payment. However, the group decided not too as it could expose the Chinese cover story. Due to these messages, it is clear that the Russian-speaking group wants the world to believe that the actors behind its attacks are Chinese. Trellix also found that the group was well organized operationally, according to the leaked messages. Additionally, Trellix found ties between the Yanluowang group and other ransomware actors, including HelloKitty.