CyberVolk is a pro‑Russia ransomware group that emerged in May 2024 and has targeted public institutions and critical infrastructure in countries such as Japan, France, and the UK, using Telegram for communication. The ransomware uses AES‑256 GCM and ChaCha20‑Poly1305 with a per‑file nonce that is not stored, making decryption impossible; #CyberVolk #ChaCha20-Poly1305
Keypoints
- CyberVolk appeared in May 2024 and predominantly targets public institutions and critical infrastructure in countries considered anti‑Russian.
- The group communicates publicly via Telegram and claims attacks on major facilities and scientific institutions in Japan, France, and the UK.
- When executed, the ransomware elevates to administrator privileges, excludes specific paths and extensions from encryption, and avoids re‑encrypting already encrypted files.
- Encryption uses a single symmetric key for all files, derived from a hard‑coded SHA‑256 hashed string, and employs AES‑256 GCM followed by ChaCha20‑Poly1305.
- A 12‑byte random nonce is generated per file during encryption but is not stored in the encrypted file, preventing correct decryption later.
- The ransom note (READMENOW.txt) is created only in the execution path and users are given three attempts to enter a hard‑coded decryption key, but decryption fails due to incorrect nonce usage.
- Recommendations include offline, access‑controlled backups and regular recovery drills to ensure resilience against irrecoverable encryption.
MITRE Techniques
- [T1548] Abuse Elevation Control Mechanism – The ransomware restarts itself with administrator privileges to perform privileged operations (“When the CyberVolk ransomware is initially executed with normal user privileges, it restarts the ransomware with administrator privileges.”).
- [T1490] Inhibit System Recovery – The ransomware excludes certain system paths from encryption and likely impacts recovery by encrypting data and missing nonce values (“It excludes certain items from encryption, such as files and directories that may cause issues in the system when encrypted.”).
- [T1486] Data Encrypted for Impact – Files are encrypted using AES‑256 GCM and ChaCha20‑Poly1305 to deny access to victims (“The file content is then encrypted using AES-256 GCM mode. The encrypted file content is then further encrypted using ChaCha20-Poly1305.”).
- [T1565] Data Manipulation – The ransomware modifies files by replacing original content with encrypted content and removing or not storing required metadata (nonce) needed for decryption (“Only the encrypted file content and the authentication tag generated by the ChaCha20-Poly1305 encryption are present.”).
- [T1204] User Execution – The payload runs under user context initially and then elevates, indicating execution initiated by user or service context (“When the CyberVolk ransomware is initially executed with normal user privileges…”).
Indicators of Compromise
- [File Name] Ransom note and exclusion extension – READMENOW.txt, and excluded extension .CyberVolk (ransom note created in execution path; .CyberVolk excluded from encryption).
- [Hash] Malware sample MD5 – c04e70613fcf916e27bd653f38149f71 (listed in AhnLab response).
- [Detection Names] AV/EDR signatures – Ransomware/Win.BlackLock.C5764855, Ransom/MDP.Behavior.M2649, Ransom/MDP.Decoy.M1171, Ransom/EDR.Decoy.M2716 (vendor detection identifiers from AhnLab).
- [Algorithm/Technique] Encryption primitives used – AES-256 GCM, ChaCha20-Poly1305 (cryptographic methods observed in file encryption process).
Read more: https://asec.ahnlab.com/en/90077/