Full Report
A pro-Russian hacktivist collective, CyberVolk, has launched its own ransomware-as-a-service operations, SentinelLabs has found
Analysis Summary
# Threat Actor: CyberVolk
## Attribution & Identity
**Identification:** Pro-Russian hacktivist collective.
**Origin:** Originated in India.
**Known Aliases/Previous Names:** Gloriamist, Gloriamist India, Solntsevskaya Bratva.
**Associated Groups/Alliances:** Claims alliances with Lapsus$ and Moroccan Dragons. Also promotes ransomware families like Doubleface, HexaLocker, and Parano.
**Relationship to Other Groups:** The branded ransomware is derived from AzzaSec ransomware code.
## Activity Summary
CyberVolk has been observed advertising its branded Ransomware-as-a-Service (RaaS) since June 2024 and claimed responsibility for multiple ransomware attacks between June and October 2024. The group leverages geopolitical issues to justify and launch attacks against public and government entities opposed to Kremlin interests. They utilize DDoS attacks and have adopted commodity malware like infostealers and webshells. Recently, they utilized their branded ransomware against entities in Japan, generating hype on their communication channels.
## Tactics, Techniques & Procedures
- **Ransomware Deployment:** Utilizing a branded ransomware derived from AzzaSec code as a RaaS operation.
- **Process Termination:** Designed to terminate any running processes belonging to Microsoft Management Console (MMC) or Task Manager.
- **Pre-Encryption Action:** Drops bitmap images (.bmp) into the `%temp%` folder and displays them before encryption begins.
- **Encryption Algorithm:** Updated encryption algorithms to use "ChaCha20-Poly1305 + AES + RSA + Quantum resistant algorithms" for encryption and key generation (previously AES and SHA512).
- **Extortion:** Displays a payment screen upon successful encryption, featuring a five-hour decryption timer and accepted cryptocurrency payments, with Telegram contact details provided.
- **Other Techniques:** Utilizes DDoS attacks, infostealer malware, and webshells.
## Targeting
**Sectors:** Public and Government entities.
**Geography:** Japan (specifically named targets).
**Victims:** Japan Meteorological Agency (JMA) and the Tokyo Global Information System Centre.
## Tools & Infrastructure
**Malware Families Used:**
- Branded Ransomware (derived from AzzaSec Ransomware code).
- Infostealer malware.
- Webshells.
**Infrastructure (C2, domains, IPs):**
- Communication channels used for hype: Telegram and Discord accounts (Note: These accounts vanished in early November due to platform bans).
- Payment accepted in cryptocurrencies.
## Implications
CyberVolk highlights the increasing blurring of lines between hacktivism, cybercrime, and nation-state activities, motivated by geopolitical conflicts. Their accessibility to and deployment of ransomware builders make them challenging to track consistently. Their sudden disappearance from Telegram due to platform bans demonstrates the instability and reliance on specific communication platforms inherent in hacktivist operations.
## Mitigations
- Implement robust endpoint protection capable of detecting and terminating malicious processes attempting to disable management tools (MMC, Task Manager).
- Monitor for unusual file drops (like BMP images in temporary directories) preceding mass file encryption events.
- Ensure backup and recovery procedures can handle advanced encryption schemes (mention of ChaCha20-Poly1305, AES, RSA).
- Monitor hacktivist communication channels (such as Telegram/Discord) for early warnings regarding targeted entities and TTP evolution.