An internal data leak appears to have caused the Yanluowang ransomware group to close up shop, at least temporarily.
The group's data leaks site has been shut down, a signal that ransomware infection and collection operations have been put on hold.
The shutdown occurred after an anonymous Twitter account known as Yanluowangleaks exposed a trove of internal information from the ransomware as a service (RaaS) gang, ranging from the source code for its decryption tools and other vital components to internal communications from the group.
The Yanluowangleaks account said it would continue to post leaked information from the group. The account has not provided any information about its origin or connection with the RaaS group, but it appears set on running them out of business.
The leaks also provided some insight into the inner workings of the group. While the name had initially suggested the operation was based in China or involved Chinese-speaking threat actors, communications from the leaks confirmed that the group's operators are Russian-speaking individuals.
Also revealed in the report was a look into how the ransomware community views high-profile news regarding other crews, such as Russian law enforcement's REvil arrests in January.
"I think it shines some really interesting light into the growing concerns ransomware actors have with both security researchers doxing threat actors and also the Russian FSB [Federal Security Service]," said Colin Cowie, threat researcher with Sophos' Managed Threat Response team.
"There is an interesting point in the leaks where some of the threat actors discuss the FSB raid on REvil and speculate on if it's a trend or just media hype," Cowie told TechTarget Editorial.
#yanluowang takes weeks and months to conduct ransom— ywl_leaks (@yanluowangleaks) November 2, 2022
I will expose them in days. Passwords generated. Source code going out now to select user.
The Yanluowang ransomware leaks follow the closure of the Conti ransomware gang earlier this year after a similar series of data leaks affected the RaaS group. The Yanluowang leaks also come at a time when ransomware levels appear to be on the rise and a host of new ransomware crews are looking to fill the void created by the takedowns and disbanding of other high-profile ransomware crews.
However, the apparent closure of Yanluowang is unlikely to cause a significant decrease in overall ransomware attacks. Cowie said that in the overall ransomware pond, Yanluowang is a minnow.
"In the grand scheme of things, I don't think this leak will have a large impact on the tempo of ransomware threat actors currently," he said. "I believe Yanluowang is one of the smaller players out there."