Introduction
CyberVolk is a politically motivated hacktivist group [4] [6], potentially originating from India, that has been active since at least March 2024 [3]. The group, previously known as Gloriamist India [3], targets state and public entities in countries opposing Russian interests [3]. CyberVolk is notable for its use of Ransomware-as-a-Service (RaaS), distinguishing it from typical hacktivist groups.
Description
CyberVolk is a politically motivated hacktivist group [4] [6], possibly of Indian origin [3], that has been active since at least March 2024 [3], emerging under its current name in May 2024 [1]. Formerly known as Gloriamist India [3], the group has targeted various state and public entities in countries opposing Russian interests [3], including critical infrastructure and scientific institutions in Japan [7], France [3] [7], and the UK [3] [7]. Unlike typical hacktivist groups that primarily focus on distributed denial-of-service (DDoS) attacks [3], CyberVolk launched its Ransomware-as-a-Service (RaaS) in June 2024 [9], employing ransomware based on the leaked source code of the disbanded AzzaSec group, which held pro-Russian [1] [8], anti-Ukrainian [1] [2] [4] [5] [8], and anti-Israeli beliefs [1] [8]. The source code for AzzaSec was leaked in June 2024 [8], leading to its disbandment in August 2024.
CyberVolk has adapted this code, along with other ransomware builders such as Diamond, LockBit [6], and Chaos [4] [6], to enhance its sophistication and evade detection [4]. The ransomware is developed in C++ and utilizes advanced encryption algorithms, including AES [1] [2] [4] [5], RSA [1] [2] [5] [8] [9], and quantum-resistant methods [9], to encrypt files [9]. It is designed to terminate processes related to system management tools before executing the encryption [9], appending the “.CyberVolk” file extension to the encrypted files. When executed, it changes the user’s wallpaper to display the CyberVolk logo and presents a payment screen with a countdown timer, typically demanding a ransom of $1,000 in Bitcoin or USDT, with a strict deadline of five hours for victims to comply [3].
In addition to its primary ransomware, CyberVolk has promoted other RaaS offerings [1], including a variant known as Doubleface, which emerged in August-September 2024 and shares the same AzzaSec code base [2]. This ransomware exhibits similar features, such as changing the user’s wallpaper and displaying a countdown timer within the same five-hour timeframe. The Doubleface variant employs AES-256 encryption for files and RSA-2048 for key wrapping [4]. CyberVolk has also been linked to other ransomware families [2], including HexaLocker and Parano [2] [3], illustrating the evolving nature of affiliations among hacktivist groups [3].
Initially, CyberVolk communicated with associates and victims via Telegram but was banned from the platform in November 2024 [1], subsequently shifting to X for public communications [1]. This crackdown on hacktivist groups has led to increased scrutiny and conflicts within the community, with rival factions exploiting Telegram’s terms of service against one another. Alleged former members of AzzaSec and another group [1], APTZone [1], have been implicated in reporting and banning groups associated with CyberVolk [1]. The skilled members of CyberVolk continue to enhance their tools, increasing their effectiveness in conducting DDoS and ransomware attacks against entities that oppose Russian interests.
Conclusion
The activities of CyberVolk highlight the evolving landscape of hacktivism, where politically motivated groups leverage sophisticated tools like RaaS to further their agendas. The group’s ability to adapt and enhance its ransomware capabilities poses significant challenges to targeted entities. Mitigation efforts must focus on strengthening cybersecurity measures, fostering international cooperation, and developing strategies to counteract such threats. As hacktivist groups continue to evolve, understanding their methods and motivations will be crucial in anticipating future implications and safeguarding against potential attacks.
References
[1] https://www.scworld.com/news/cybervolk-analysis-explores-ransomware-hacktivism-interconnections
[2] https://osintcorp.net/pro-russian-hacktivists-launch-branded-ransomware-operations/
[3] https://thecyberwire.com/podcasts/daily-podcast/2198/transcript
[4] https://gbhackers.com/hacktivists-ransomware-tools/
[5] https://www.infosecurity-magazine.com/news/russian-hacktivists-branded/
[6] https://quantribaomat.com/researchers-detailed-tools-used-by-hacktivists-fueling-ransomware-attacks
[7] https://banana.bj006.com/2024/11/26/cybervolk-%E3%81%AE%E3%83%8F%E3%82%AF%E3%83%86%E3%82%A3%E3%83%93%E3%82%B9%E3%83%88%E3%81%AF%E3%83%AD%E3%82%B7%E3%82%A2%E3%81%AE%E5%88%A9%E7%9B%8A%E3%82%92%E6%94%AF%E6%8F%B4%E3%81%99/
[8] https://hackedalert.com/el-analisis-de-cybervolk-explora-la-interrelacion-entre-ransomware-y-hacktivismo/
[9] https://1275.ru/ioc/8124/cybervolk-apt-iocs/