Full Report
Researchers at SentinelOne describe ransomware campaigns by CyberVolk, a pro-Russian hacktivist group that appears to have roots in India.
Analysis Summary
# Threat Actor: CyberVolk
## Attribution & Identity
* **Country of Origin/Association:** Possibly India (roots observed). Leader identified as "Hacker-K," also of Indian origin.
* **Known Aliases:** Gloriamist India (previous name).
* **Associated Groups/Alliances:** Claimed alliances with pro-Russia hacktivist groups, notably NoName057(16). Utilizes tools/code derived from AzzaSec. Has promoted/reused ransomware associated with HexaLocker, Parano, LockBit, and Chaos.
* **Self-Description (in ransom note):** "Elite hackers and cybersecurity experts from Russia."
## Activity Summary
* **Activity Span:** Active since at least March 2024.
* **Campaigns:** Deploying ransomware and information-stealing malware against entities in countries that oppose Russian interests. Recently claimed responsibility for compromising critical infrastructure facilities and scientific institutions in Japan, France, and the U.K.
## Tactics, Techniques & Procedures
* **Primary TTPs:**
* Distributed Denial-of-Service (DDoS) attacks (most popular method).
* Deployment of ransomware.
* Deployment of information-stealing malware.
* Data exfiltration via the Discord messaging application.
* **Specific TTPs:** Stealer malware attempts to gather browser, Discord, gaming, and cryptocurrency wallet data.
* **Ransom Demands:** $1,000 cryptocurrency payment, due within five hours.
## Targeting
* **Sectors:** State and public entities; Critical infrastructure; Scientific institutions.
* **Geography:** Countries opposing Russian interests, specifically noted attacks against Japan, France, and the U.K.
* **Victims:** Critical infrastructure facilities and scientific institutions (specific organizations not named).
## Tools & Infrastructure
* **Malware Families Used:**
* Custom CyberVolk ransomware (derived from AzzaSec ransomware source code).
* Information-stealing malware.
* Promoted/reused ransomware families: HexaLocker, Parano, LockBit, Chaos.
* **Infrastructure:** Data exfiltration conducted via the Discord messaging app.
## Implications
CyberVolk represents a politically motivated, adaptive hacktivist group that has evolved beyond simple DDoS attacks by incorporating complex disruptive tools like ransomware and data stealers. Their rapid adoption and pivoting between established ransomware codebases (like AzzaSec’s) make them difficult to track and counter, despite potentially being composed primarily of lower-skilled actors. They leverage current geopolitical events to justify attacks.
## Mitigations
* Implement robust DDoS mitigation strategies.
* Monitor for indicators related to known adopted ransomware strains (AzzaSec variants, HexaLocker, Parano).
* Enhance endpoint detection and response to detect data exfiltration attempts, particularly over non-traditional channels like Discord.
* Establish strict timelines and response plans for ransomware events, noting the five-hour payment pressure tactic.