Article Details

Russian broker pleads guilty to profiting from Yanluowang ransomware attacks. Aleksei Volkov faces years in prison, may have been working with other crews. A Russian national will likely face several years in US prison after pleading guilty to a range of offenses related to his work with ransomware crews. Aleksei Olegovich Volkov, 25, worked as an initial access broker (IAB) and was tied to at least seven ransomware attacks on US organizations, all carried out by the Yanluowang crew. According to Volkov's indictment [PDF], the Russian provided IAB services to Yanluowang, in some cases charging $1,000 for access to business networks using employee credentials, and later took a chunk of the profits made from ransom payments. The indictment claimed that, from one attack on a Philadelphia business, Volkov was compensated around five percent ($94,259) of the engineering company's $500,000 ransom payment. He also allegedly netted a roughly six percent cut from a $1 million ransom paid by a Michigan company, earning approximately $162,220 from the incident. The indictment did not mention any other payments being made, with some victims telling officials that they either restored from backups or simply refused to negotiate with the criminals. Volkov, however, was ordered to pay a total of $9.1 million in restitution payments to six of the seven victims, which incurred varying costs as a result of the cyberattacks on their systems, which in some cases also included DDoS and data theft. The Michigan company that paid the $1 million ransom, negotiated down from an initial demand of $15 million, is owed the largest sum of the seven victims, more than $7.2 million. The only victim cited in the court documents that was not awarded any restitution payments was a California company that was able to restore from backups. The prosecution said Volkov was engaged in online chats with an individual described in court documents as co-conspirator 1 (CC-1), between July 2021 and November 2022, during which they routinely discussed ransomware attacks, and how Volkov would be compensated for his help in carrying them out. This typically involved a one-off payment for providing the credentials used to gain access to a victim's network, and prosecutors said Volkov regularly also negotiated a cut of the resulting ransom payments. On multiple occasions, Volkov requested advances on his payments. This happened after the attack on the Michigan company that paid a $1 million ransom, and again following an attack on a Georgia-based victim.  Regarding the latter, investigators said Volkov claimed that he had no money for holiday gifts, and CC-1 sent around $12,000, which the Russian said he would use for work and living expenses while he waited for his full cut. Testimony provided to the case by law enforcement officials investigating Volkov also hinted at the likelihood of the Russian's involvement in other attacks, separate from the crimes he was charged over in the US. FBI special agent Jeffrey Hunter mentioned an eighth alleged target in the criminal complaint [PDF] against Volkov, described as "a foreign company with an American subsidiary in Center Valley, Pennsylvania," although he offered no details about an attack. Hunter also said that, after securing various search warrants, the FBI analyzed accounts linked to Volkov, including an iCloud account that he claimed revealed Volkov was at one point in time engaged in online chats with a contact named LockBit. Volkov pleaded guilty [PDF] to six counts related to access device fraud, computer fraud, trafficking in access information, aggravated identity theft, conspiracy to commit money laundering, and unlawful transfer of a means of identification. His sentencing date has not yet been set. The Register has contacted his lawyer for a statement.