Cisco, a multinational technology conglomerate, was targeted by the **Yanluowang ransomware gang** in a sophisticated attack facilitated by Aleksey Volkov, an initial access broker. The group exploited network vulnerabilities to infiltrate Cisco’s systems, deploying ransomware that encrypted critical data and disrupted operations. While the article does not specify the exact financial or data losses Cisco incurred, the broader context of Yanluowang’s operations—including extortion demands, DDoS attacks, and threats to executives—suggests severe operational and reputational harm. The gang’s tactics often involved stealing sensitive corporate or customer data before encrypting systems, then demanding ransom payments under threat of public exposure or prolonged outages. Cisco’s inclusion among high-profile victims (alongside Walmart) underscores the attack’s strategic intent to cripple infrastructure and extract maximum financial gain. The involvement of a Russian national linked to defense ministry ties further elevates the attack’s geopolitical and cybersecurity significance, aligning with Yanluowang’s pattern of targeting Western enterprises with precision.
Source: https://therecord.media/russian-hacker-to-plead-guilty-aiding-ransomware-group
Cisco cybersecurity rating report: https://www.rankiteo.com/company/cisco
"id": "cis0702107111125",
"linkid": "cisco",
"type": "Ransomware",
"date": "11/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'industry': 'Banking',
'location': 'Pennsylvania, USA',
'name': 'Unnamed Bank (Pennsylvania)',
'type': 'Financial Institution'},
{'industry': 'Telecommunications',
'location': 'California, USA',
'name': 'Unnamed Telecommunications Company '
'(California)',
'type': 'Private Company'},
{'industry': 'Engineering',
'location': 'Michigan, USA',
'name': 'Unnamed Engineering Firm (Michigan)',
'type': 'Private Company'},
{'location': 'Illinois, USA',
'name': 'Unnamed Organization (Illinois)'},
{'location': 'Georgia, USA',
'name': 'Unnamed Organization (Georgia)'},
{'location': 'Ohio, USA',
'name': 'Unnamed Organization (Ohio)'},
{'industry': 'Technology/Networking',
'location': 'California, USA',
'name': 'Cisco Systems',
'size': 'Large Enterprise',
'type': 'Public Company'},
{'industry': 'Retail',
'location': 'Arkansas, USA',
'name': 'Walmart',
'size': 'Large Enterprise',
'type': 'Public Company'}],
'attack_vector': ['Exploited Vulnerabilities (unspecified)',
'Phishing/Social Engineering (likely)',
'DDoS Attacks',
'Threatening Calls to Executives'],
'data_breach': {'data_encryption': ['Yanluowang custom encryption '
'(vulnerability found by Kaspersky)'],
'data_exfiltration': ['Likely (based on ransomware MO)']},
'date_publicly_disclosed': '2025-10-29',
'description': 'A Russian national, Aleksey Olegovich Volkov (25), acted as '
'an initial access broker for the Yanluowang ransomware gang, '
'infiltrating networks of at least eight U.S.-based '
'organizations (including banks, telecoms, and engineering '
'firms) between July 2021 and November 2022. Volkov sold '
'network access to the gang in exchange for a cut of ransom '
'payments (totaling over $256,000 from two confirmed payouts '
'of ~$1.5M). He also conducted DDoS attacks and threatening '
'tactics to coerce victims. Volkov was arrested in Rome in '
'2023, extradited to the U.S., and agreed to a plea deal in '
'2025, including $9M in restitution. The Yanluowang group '
'disbanded in late 2022 after its leak site was hacked, '
'revealing its members were likely Russian (despite '
'masquerading as Chinese).',
'impact': {'brand_reputation_impact': ['High (targeted high-profile U.S. '
'firms)',
'Associated with extortion tactics'],
'financial_loss': '$1.5M+ (confirmed ransom payments) + $9M '
'(restitution agreed in plea deal)',
'legal_liabilities': ['Plea deal for hacking, extortion, and theft '
'charges',
'Decades-long prison sentence pending'],
'operational_impact': ['System Lockouts',
'DDoS Disruptions',
'Executive Threats']},
'initial_access_broker': {'backdoors_established': True,
'data_sold_on_dark_web': ['Network access sold to '
'Yanluowang/LockBit '
'affiliates'],
'entry_point': ['Exploited Vulnerabilities '
'(unspecified)',
'Potential Phishing'],
'high_value_targets': ['Banks',
'Telecoms',
'Engineering Firms',
'Cisco',
'Walmart'],
'reconnaissance_period': 'July 2021 – November '
'2022'},
'investigation_status': 'Ongoing (Plea deal signed 2025-11-25; sentencing '
'pending)',
'lessons_learned': ['Initial access brokers play a critical role in '
'ransomware ecosystems, enabling attacks by selling '
'pre-compromised access.',
'Threat actors often masquerade as other nationalities '
'(e.g., Yanluowang posed as Chinese but was Russian).',
'Cryptocurrency tracing and digital breadcrumbs (e.g., '
'email, Apple ID) are vital for attribution.',
'Collaboration between cybersecurity firms (Symantec, '
'Kaspersky) and law enforcement (FBI) can disrupt '
'ransomware operations.',
'Leaked internal chats can expose operational details and '
'debunk threat actor personas.'],
'motivation': 'Financial Gain (ransomware proceeds, access sales)',
'post_incident_analysis': {'corrective_actions': ['FBI disruption of '
'Yanluowang operations via '
'arrest/extradition of '
'Volkov.',
'Kaspersky’s public release '
'of a free decrypter '
'(2022).',
'Heightened scrutiny of '
'Russian-linked threat '
'actors masquerading as '
'other nationalities.',
'Emphasis on tracing '
'cryptocurrency '
'transactions for '
'attribution.'],
'root_causes': ['Insufficient network segmentation '
'allowing lateral movement '
'post-initial access.',
'Lack of detection for initial '
'access brokerage activity.',
'Vulnerabilities in Yanluowang’s '
'encryption algorithm (later '
'exploited by Kaspersky for '
'decrypter).',
'Use of cryptocurrency for ransom '
'payments enabling anonymity.']},
'ransomware': {'data_encryption': True,
'data_exfiltration': ['Double Extortion (likely)'],
'ransom_demanded': '$1.5M+ (confirmed from two victims)',
'ransom_paid': '$1.5M+ (confirmed)',
'ransomware_strain': 'Yanluowang'},
'recommendations': ['Monitor dark web forums for initial access brokerage '
'activity targeting your industry.',
'Implement multi-factor authentication (MFA) and '
'least-privilege access to thwart initial access brokers.',
'Regularly audit cryptocurrency transactions for signs of '
'ransomware payments.',
'Prepare for double-extortion tactics (data encryption + '
'exfiltration) in ransomware response plans.',
'Leverage threat intelligence sharing to identify '
'emerging ransomware strains like Yanluowang.'],
'references': [{'date_accessed': '2025-10-29',
'source': 'U.S. Department of Justice (Court Documents)'},
{'source': 'Seamus Hughes (Reporter, Unsealed Documents)'},
{'date_accessed': '2021-10',
'source': 'Symantec (Yanluowang Discovery, 2021)'},
{'date_accessed': '2022',
'source': 'Kaspersky (Decrypter Release, 2022)'},
{'source': 'FBI Investigation (Cryptocurrency Tracing)'}],
'regulatory_compliance': {'legal_actions': ['U.S. Federal Charges (hacking, '
'theft, extortion)',
'Plea Deal (2025-10-29)',
'Extradition from Italy (2023)']},
'response': {'law_enforcement_notified': True,
'remediation_measures': ['Kaspersky released free decrypter '
'(2022)'],
'third_party_assistance': ['FBI Investigation',
'Symantec (Threat Intelligence)',
'Kaspersky (Decryption Tool)']},
'threat_actor': {'affiliation': ['Yanluowang Ransomware Gang',
'LockBit Ransomware Gang (alleged '
'communication)'],
'aliases': ['chubaka.kor', 'Alekseq Olegovi3 Volkov'],
'apple_id': '[email protected]',
'birthdate': '2000-03-20',
'cryptocurrency_wallets': ['Linked to Russian '
'passport-verified account'],
'email': '[email protected]',
'name': "Aleksey Olegovich Volkov (aka 'chubaka.kor')",
'nationality': 'Russian',
'role': 'Initial Access Broker'},
'title': 'Yanluowang Ransomware Attacks Facilitated by Initial Access Broker '
'Aleksey Volkov',
'type': ['Ransomware',
'Initial Access Brokerage',
'DDoS Attacks',
'Extortion']}