CyberVolk analysis explores ransomware, hacktivism interconnections

CyberVolk, a ransomware-as-a-service (RaaS) supplier and pro-Russia hacktivist group, shares a number of similarities and connections to different pro-Russia menace teams, revealing an intertwined community of menace actors that blur the road between politically and financially motivated cybercrime, SentinelOne’s SentinelLabs described in a report printed Monday.

CyberVolk, previously often called GLORIAMIST and Solntsevskaya, first emerged below its present identify in Could 2024 and started claiming ransomware victims in June 2024. The India-based group most not too long ago focused Japanese entities, claiming assaults in opposition to The Japan Basis, Japan Oceanographic Information Heart, Japan Meteorological Company and Tokyo International data System Centre.

Assaults performed by CyberVolk, together with a number of different teams it associates itself with, mirror a mix of economic and political motives, with such teams usually citing geopolitical points as a justification for concentrating on sure international locations with ransomware, SentinelLabs famous.

Teams inhabiting this ecosystem have additionally been shifting focus from distributed denial-of-service (DDoS) assaults to RaaS schemes and different kinds of malware-as-a-service (MaaS), representing an evolution within the toolsets utilized by this assortment of hacktivists.

CyberVolk associates share motives, code

CyberVolk has aligned itself with different hacker teams selling pro-Russian pursuits, equivalent to NONAME057(16), and has additionally promoted different RaaS choices together with Invisible/Doubleface, HexaLocker and Parano.

CyberVolk’s personal ransomware can also be primarily based on the code of a earlier hacktivists-turned-RaaS group known as AzzaSec, which held pro-Russia, anti-Ukraine and anti-Israel beliefs. AzzaSec’s ransomware supply code was leaked in June 2024 and the group was disbanded in August 2024.

The AzzaSec-derived CyberVolk malware targets Home windows machines and is written in C++; it beforehand used AES for file encryption and SHA512 for key era earlier than switching to “ChaCha20-Poly1305 + AES + RSA + Quantum resistant algorithms,” in response to the group’s claims.

When the ransomware is executed, encrypted recordsdata are given the “CyberVolk” file extension and the person’s wallpaper is modified to a picture exhibiting the CyberVolk brand, together with a window displaying a countdown timer and the gang’s cryptocurrency addresses. The ransom demand is usually $1,000 in Bitcoin or USDT with the timer counting down from 5 hours since payload execution.

The Invisible/Doubleface ransomware, which is related to each CyberVolk and the anti-Israel group Moroccan Black Cyber Military, was discovered to have an identical wallpaper and timer performance right down to the identical five-hour time restrict, in response to SentinelLabs. It was decided that Invisible/Doubleface was additionally derived from the leaked AzzaSec code, with Invisible/Doubleface’s personal supply code additionally being leaked not too long ago.

Cybervolk has additionally promoted the HexaLocker RaaS, which was related to the LAPSUS$ hacker group and a hacktivist alliance known as The Holy League, the latter of which is tied to assaults in opposition to Spain after the arrests of NONAME057(16) members by Spanish authorities. Nevertheless, HexaLocker’s developer shut down the operation in October and subsequently supplied to place the ransomware code and infrastructure up on the market.

Hacktivist infighting results in Telegram ousters

CyberVolk, which beforehand performed a lot of its communications with associates and victims by way of Telegram, was banned from the platform in early November 2024 amid rising tensions between numerous hacktivist teams, as is now utilizing X as its important public communications channel. Rival teams aiming to take down or extort each other turned to weaponizing Telegram’s phrases of service and threatening others with experiences and bans, SentinelLabs present in its investigation.

The state of affairs was possible exacerbated by elevated scrutiny on the platform after Telegram CEO Pavel Durov’s arrest. SentinelLabs noticed alleged former members of AzzaSec and one other group known as APTZone claiming accountability for the bans of different teams together with CyberVolk and Doubleface. Additionally they discovered a November put up by RipperSec accusing former members of AzzaSec and Doubleface of extorting and reporting teams related to CyberVolk.

The complicated net of connections between hacktivists and ransomware actors, in addition to conflicts and rivalries between teams, particular person members and former members, paints a sophisticated image of those blended political and financially motivated cybercrime teams.

In the meantime, these teams’ ways and toolsets solely proceed to evolve, with CyberVolk not too long ago creating a webshell and infostealer together with its RaaS providing.

“As teams like CyberVolk leverage brazenly accessible commodity instruments with excessive potential for inflicting harm, they proceed so as to add extra layers of complexity, increasing and revising the instruments as they’re handed round throughout the collective. Ransomware operations will get muddier and improve how a lot cybersecurity groups might want to monitor so as to keep updated on the happenings throughout the cybercrime ecosystem,” SentinelLabs concluded.

The blurring of strains between politically-motivated and financially-motivated teams has additionally been seen within the latest use of Play ransomware by North Korean nation-state actors, and partnerships between Iranian state-sponsored actors and ransomware gangs together with NoEscape, Ransomhouse and ALPHV/BlackCat.

The reuse of leaked ransomware code can also be a well-liked tactic amongst newer ransomware actors, with the widely-used leaked LockBit builder from 2022 not too long ago seen in assaults in opposition to 22 victims by the rising SafePay ransomware gang.