In May 2022, Cisco fell victim to a **Yanluowang ransomware attack** orchestrated by Aleksey Olegovich Volkov, an initial access broker (IAB) who breached the company’s network by compromising a **Cisco employee’s Box folder**. While the attackers exfiltrated **non-sensitive files**, they failed to encrypt Cisco’s systems or successfully extort a ransom. However, the incident exposed critical vulnerabilities in Cisco’s security posture, revealing that threat actors could infiltrate corporate networks, steal credentials, and potentially deploy ransomware. The attack was part of a broader campaign targeting at least **eight U.S. companies**, with Volkov selling network access to Yanluowang operators, who then demanded ransoms ranging from **$300,000 to $15 million**. Although Cisco avoided financial loss or data encryption in this instance, the breach underscored the risks of **supply-chain attacks, credential theft, and ransomware-as-a-service (RaaS) operations**. The FBI’s investigation later tied Volkov to **LockBit ransomware** as well, highlighting his role in facilitating high-impact cybercrime.
TPRM report: https://www.rankiteo.com/company/cisco
"id": "cis2802228111125",
"linkid": "cisco",
"type": "Ransomware",
"date": "5/2022",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'location': 'Philadelphia, Pennsylvania, U.S.',
'name': 'Philadelphia-based company'},
{'industry': 'engineering',
'location': '19 U.S. offices (exact locations '
'unspecified)',
'name': 'Engineering firm'},
{'location': 'California, U.S.',
'name': 'California company'},
{'industry': 'financial services',
'location': 'Michigan, U.S.',
'name': 'Michigan bank',
'type': 'bank'},
{'location': 'Illinois, U.S.',
'name': 'Illinois business'},
{'location': 'Georgia, U.S.', 'name': 'Georgia company'},
{'industry': 'telecommunications',
'location': 'Ohio, U.S.',
'name': 'Ohio telecommunications provider',
'type': 'telecommunications'},
{'location': 'Eastern District of Pennsylvania, U.S.',
'name': 'Business in the Eastern District of '
'Pennsylvania'},
{'industry': 'IT/Networking',
'location': 'global (HQ: San Jose, California, U.S.)',
'name': 'Cisco',
'size': 'large enterprise',
'type': 'technology corporation'}],
'attack_vector': ['credential theft',
'network intrusion',
'social engineering (potential)',
'exploitation of vulnerabilities (unspecified)'],
'data_breach': {'data_encryption': True,
'data_exfiltration': True,
'sensitivity_of_data': ['low (Cisco case: non-sensitive '
'files)',
'high (credentials, corporate data)'],
'type_of_data_compromised': ['corporate network credentials',
'stolen data (unspecified)',
'non-sensitive files (Cisco Box '
'folder)']},
'date_publicly_disclosed': '2024-10-29',
'description': 'A Russian national, Aleksey Olegovich Volkov (aliases: '
"'chubaka.kor', 'nets'), acted as an initial access broker "
'(IAB) for Yanluowang ransomware attacks targeting at least '
'eight U.S. companies between July 2021 and November 2022. '
'Volkov breached corporate networks, sold access to the '
'ransomware group, and received a percentage of ransom '
'payments totaling $1.5 million from two victims. He was '
'linked to attacks on companies across multiple U.S. states, '
'including a Philadelphia-based company, an engineering firm, '
'a California company, a Michigan bank, an Illinois business, '
'a Georgia company, an Ohio telecommunications provider, and a '
'business in the Eastern District of Pennsylvania. Volkov was '
'arrested in Italy in January 2024, extradited to the U.S., '
'and faces up to 53 years in prison along with $9.1 million in '
'restitution.',
'impact': {'brand_reputation_impact': True,
'data_compromised': True,
'financial_loss': '$9,167,198.19 (restitution amount)',
'identity_theft_risk': True,
'legal_liabilities': '$9,167,198.19 (restitution) + potential '
'fines',
'systems_affected': True},
'initial_access_broker': {'backdoors_established': True,
'data_sold_on_dark_web': True,
'entry_point': ['corporate network breaches (method '
'unspecified)'],
'high_value_targets': ['U.S. companies (8+)',
'Cisco (attempted)']},
'investigation_status': 'ongoing (legal proceedings active, defendant pleaded '
'guilty)',
'motivation': 'financial gain',
'post_incident_analysis': {'root_causes': ['initial access brokerage enabling '
'ransomware deployment',
'credential theft/exploitation',
'potential vulnerabilities in '
'corporate networks']},
'ransomware': {'data_encryption': True,
'data_exfiltration': True,
'ransom_demanded': '$300,000 to $15,000,000 (per victim)',
'ransom_paid': '$1,500,000 (total from two victims)',
'ransomware_strain': 'Yanluowang'},
'references': [{'source': 'Court Watch (Seamus Hughes)'},
{'source': 'FBI affidavit (Special Agent Jeffrey Hunter)'},
{'source': 'Blockchain analysis (ransom payments)'}],
'regulatory_compliance': {'legal_actions': ['arrest (Italy, January 2024)',
'extradition to U.S.',
'guilty plea (October 29, 2024)',
'charges: unlawful transfer of '
'means of identification, '
'trafficking in access '
'information, access device '
'fraud, aggravated identity '
'theft, conspiracy to commit '
'computer fraud, conspiracy to '
'commit money laundering']},
'response': {'incident_response_plan_activated': True,
'law_enforcement_notified': True,
'third_party_assistance': ['FBI',
'international law enforcement '
'(Italy)']},
'threat_actor': {'affiliation': ['Yanluowang ransomware group',
'potential link to LockBit ransomware gang'],
'aliases': ['chubaka.kor',
'nets',
'[email protected]',
'[email protected]'],
'name': 'Aleksey Olegovich Volkov',
'nationality': 'Russian',
'status': 'arrested (January 2024), extradited to U.S., '
'pleaded guilty (October 29, 2024)'},
'title': 'Yanluowang Ransomware Attacks Facilitated by Initial Access Broker '
'Aleksey Olegovich Volkov',
'type': ['ransomware',
'initial access brokerage',
'data breach',
'cyber extortion']}