Russian hacker admits helping Yanluowang ransomware infect companies

A Russian hacker accused of helping ransomware gangs break into businesses across the United States is set to plead guilty, according to recently filed federal court documents.

25-year-old Aleksey Olegovich Volkov worked as an "initial access broker", a cybercriminal specialist who focuses on the earliest stage of an attack: gaining the first foothold inside a victim's network.

Instead of deploying ransomware himself, Volkov is alleged to have obtained network credentials and administrator access, and then passed that access to operators of the Yanluowang ransomware group.

In return, Volkov received a percentage of any ransom payments extorted from victims. Federal prosecutors say that he earned more than US $256,000 as a result.

The Yanluowang ransomware group is known for encrypting victims' files, changing their extension to ".yanluowang" and threatening to leak exfiltrated data if a ransom is not made.

The gang has also frequently used distributed denial-of-service (DDoS) attacks and even harassing phone calls to pressure organisations into paying up.

Court records state that at least seven US organisations were affected across the United States. In some cases, companies are said to have paid significant ransoms to restore access and prevent the leakage of sensitive data leaks.

One organisation is recorded as having paid cryptocurrency ransoms worth approximately US $500,000, and another worth around US $1 million.

Volkov was arrested in Rome in 2023, before being extradited to the United States. In two weeks he is scheduled to enter a guilty plea to a federal court in Indiana. Under the terms of his plea agreement, Volkov has agreed to pay more than US $9 million in restitution to organisations impacted by the attacks.

The Russian hacker's arrest and upcoming conviction illustrate a trend that has been observed by cybersecurity experts for some years: the increasingly organised structure of the ransomware ecosystem.

Criminal ransomware groups are now frequently divided into separate parts - developers, negotiators, money launderers, initial access brokers like Volkov - all have their part to play.

Removing one link in the chain does not dismantle the entire criminal enterprise, but it can disrupt operations and make attacks more expensive and less efficient for ransomware gangs.

The case also highlights a crucial detail that is sometimes overlooked by cybercriminals - cryptocurrency payments can be tracked.

In this instance, investigators followed the flow of Bitcoin from victims through intermediary wallets before ultimately arriving in accounts linked directly to Volkov, that he had verified with identity documents.

This information, combined with chat logs recovered by investigators from servers and cloud accounts, helped provide extensive evidence for prosecutors.

Volkov now faces sentencing following his guilty plea. The Yanluowang group, which first surfaced in late 2021 with high profile attacks against the likes of WalMart and Cisco, appears to have faded into obscurity. But the role played by initial access brokers like Volkov remains in high demand.

None of should forget that ransomware is more than malware. It is an industry. And as the case of Aleksey Olegovich Volkov demonstrates, the work quietly done by initial access brokers continues to be relied upon by the many gangs who are making millions of dollars through cyber extortion.