Keypoints
- CyberVolk ransomware sample (SHA256 provided) saves tmp.bmp and changes the desktop wallpaper before encrypting files.
- The binary spawns multiple threads for user interaction, Task Manager detection/termination, and file scanning/encryption across drive letters a–z.
- Encrypted files receive the .cvenc extension and a CyberVolk_ReadMe.txt ransom note is dropped in each folder.
- Decryption requires a 36-character key, but only the first 16 characters are used in a substitution routine; the transformed output is written to dec_key.dat for decryption attempts.
- Experiments showed dec_key.dat or random 36-character inputs can trigger the decryption routine but restore only filenames while leaving file contents empty.
- Code comparisons indicate reuse of Babuk cryptographic routines, with CyberVolk adding AES and Task Manager termination (anti-analysis) behaviors.
- Ransomware claims to delete files on incorrect keys, but tests did not observe file deletion, revealing discrepancies between claims and behavior.
MITRE Techniques
- [T1078] Initial Access – Use of valid or stolen credentials to gain access. (‘Use of stolen credentials to gain access to systems.’)
- [T1203] Execution – Exploitation of vulnerabilities to run malicious code on victims. (‘Exploitation of software vulnerabilities to execute malicious code.’)
- [T1547] Persistence – Creating or modifying services or autostart mechanisms to maintain access. (‘Creating new services or modifying existing ones to maintain access.’)
- [T1068] Privilege Escalation – Exploiting vulnerabilities to gain elevated privileges required for actions like terminating system processes. (‘Exploiting vulnerabilities to gain elevated privileges.’)
- [T1211] Defense Evasion – Termination of security processes (e.g., Task Manager) to evade detection. (‘Termination of security processes to evade detection.’)
- [T1003] Credential Access – Collection of credentials to enable lateral movement or further access. (‘Collection of user credentials for further access.’)
- [T1486] Impact – Data encryption for ransom, causing operational disruption. (‘Data encryption for ransom, causing operational disruption.’)
Indicators of Compromise
- [FILE HASH] sample hash – 102276ae1f518745695fe8f291bf6e69856b91723244881561bb1a2338d54b12 (sample analyzed)
- [CRYPTO ADDRESS] payment addresses – BTC: bc1q3c9pt084cafxfvyhn8wvh7mq04rq6naew0mk87, USDT (ERC20): TXarMAbSLLmStn4RZj63cTH7tpbodGNGbZ (wallet balances noted)
- [FILENAME] dropped/used files – tmp.bmp (saved to C:UsersUSERAppDataLocalTemptmp.bmp), CyberVolk_ReadMe.txt (ransom note placed in affected folders)
- [FILENAME] decryption artifacts – dec_key.dat (written to C:UsersUSERAppDataRoaming and used to trigger decryption), time.dat (removed during cleanup)
- [FILE EXTENSION] encrypted files – .cvenc extension applied to encrypted files (example: file.txt -> file.txt.cvenc)
We analyzed the CyberVolk ransomware sample (SHA256: 102276ae1f518745695fe8f291bf6e69856b91723244881561bb1a2338d54b12). On execution it first saves an image (tmp.bmp) to C:UsersUSERAppDataLocalTemptmp.bmp and replaces the desktop wallpaper before performing any encryption. The binary creates multiple threads: one handles user interaction (ransom dialog, decryption-key entry, BTC and USDT payment options), another repeatedly searches for a window with class name “TaskManagerWindow” and, if found and running with elevated privileges, sends a WM_CLOSE message to terminate it; additional threads scan drive letters ‘a’ through ‘z’ to enumerate files and recursively encrypt them, appending the .cvenc extension and dropping CyberVolk_ReadMe.txt in each folder.
Decryption logic expects a 36-character key, but only the first 16 characters are passed into a substitution routine that maps characters using a preset table and transforms encrypted string arrays; the resulting output is written to dec_key.dat in C:UsersUSERAppDataRoaming and used to perform decryption. In experiments placing a precomputed dec_key.dat (containing strings like fc99bb1c28a5ae006e567faf4cfc0d707c1528e and ce12f0967bd216d248cafda3d46ad1368d9f3dee) or entering 36 random characters, the malware executed its decryption routine and restored original filenames, but the file contents remained empty. Claims that incorrect keys would trigger file deletion were not observed during testing (invalid key paths left files encrypted but not deleted). After successful decryption attempts, the malware attempts cleanup by removing dec_key.dat and time.dat from the Roaming folder.
Static comparison using BinDiff shows CyberVolk reuses Babuk cryptographic routines (e.g., CryptAcquireContextW overlaps) while introducing AES-based encryption and anti-analysis behavior (Task Manager termination). These combined behaviors—pre-encryption wallpaper change, multi-threaded scanning/encryption, weak key validation, and code reuse—make CyberVolk technically notable despite flaws that sometimes leave file contents irrecoverable even when decryption routines run.
Read more: https://blog.rapid7.com/2024/10/03/ransomware-groups-demystified-cybervolk-ransomware/