CyberVolk, a ransomware-as-a-service (RaaS) provider and pro-Russia hacktivist group, shares several similarities and connections to other pro-Russia threat groups, revealing an intertwined network of threat actors that blur the line between politically and financially motivated cybercrime, SentinelOne’s SentinelLabs described in a report published Monday.
CyberVolk, formerly known as GLORIAMIST and Solntsevskaya, first emerged under its current name in May 2024 and began claiming ransomware victims in June 2024. The India-based group most recently targeted Japanese entities, claiming attacks against The Japan Foundation, Japan Oceanographic Data Center, Japan Meteorological Agency and Tokyo Global information System Centre.
Attacks conducted by CyberVolk, along with several other groups it associates itself with, reflect a mixture of financial and political motives, with such groups often citing geopolitical issues as a justification for targeting certain countries with ransomware, SentinelLabs noted.
Groups inhabiting this ecosystem have also been shifting focus from distributed denial-of-service (DDoS) attacks to RaaS schemes and other types of malware-as-a-service (MaaS), representing an evolution in the toolsets used by this collection of hacktivists.
CyberVolk associates share motives, code
CyberVolk has aligned itself with other hacker groups promoting pro-Russian interests, such as NONAME057(16), and has also promoted other RaaS offerings including Invisible/Doubleface, HexaLocker and Parano.
CyberVolk’s own ransomware is also based on the code of a previous hacktivists-turned-RaaS group called AzzaSec, which held pro-Russia, anti-Ukraine and anti-Israel beliefs. AzzaSec’s ransomware source code was leaked in June 2024 and the group was disbanded in August 2024.
The AzzaSec-derived CyberVolk malware targets Windows machines and is written in C++; it previously used AES for file encryption and SHA512 for key generation before switching to “ChaCha20-Poly1305 + AES + RSA + Quantum resistant algorithms,” according to the group’s claims.
When the ransomware is executed, encrypted files are given the “CyberVolk” file extension and the user’s wallpaper is changed to an image showing the CyberVolk logo, along with a window displaying a countdown timer and the gang’s cryptocurrency addresses. The ransom demand is typically $1,000 in Bitcoin or USDT with the timer counting down from five hours since payload execution.
The Invisible/Doubleface ransomware, which is associated with both CyberVolk and the anti-Israel group Moroccan Black Cyber Army, was found to have a similar wallpaper and timer functionality down to the same five-hour time limit, according to SentinelLabs. It was determined that Invisible/Doubleface was also derived from the leaked AzzaSec code, with Invisible/Doubleface’s own source code also being leaked recently.
Cybervolk has also promoted the HexaLocker RaaS, which was associated with the LAPSUS$ hacker group and a hacktivist alliance called The Holy League, the latter of which is tied to attacks against Spain after the arrests of NONAME057(16) members by Spanish authorities. However, HexaLocker’s developer shut down the operation in October and subsequently offered to put the ransomware code and infrastructure up for sale.
Hacktivist infighting leads to Telegram ousters
CyberVolk, which previously conducted much of its communications with associates and victims through Telegram, was banned from the platform in early November 2024 amid growing tensions between various hacktivist groups, as is now using X as its main public communications channel. Rival groups aiming to take down or extort one another turned to weaponizing Telegram’s terms of service and threatening others with reports and bans, SentinelLabs found in its investigation.
The situation was likely exacerbated by increased scrutiny on the platform after Telegram CEO Pavel Durov’s arrest. SentinelLabs observed alleged former members of AzzaSec and another group called APTZone claiming responsibility for the bans of other groups including CyberVolk and Doubleface. They also found a November post by RipperSec accusing former members of AzzaSec and Doubleface of extorting and reporting groups associated with CyberVolk.
The complex web of connections between hacktivists and ransomware actors, as well as conflicts and rivalries between groups, individual members and former members, paints a complicated picture of these blended political and financially motivated cybercrime groups.
Meanwhile, these groups’ tactics and toolsets only continue to evolve, with CyberVolk recently developing a webshell and infostealer along with its RaaS offering.
“As groups like CyberVolk leverage openly available commodity tools with high potential for causing damage, they continue to add more layers of complexity, expanding and revising the tools as they are passed around within the collective. Ransomware operations will get muddier and increase how much cybersecurity teams will need to monitor in order to stay up to date on the happenings within the cybercrime ecosystem,” SentinelLabs concluded.
The blurring of lines between politically-motivated and financially-motivated groups has also been seen in the recent use of Play ransomware by North Korean nation-state actors, and partnerships between Iranian state-sponsored actors and ransomware gangs including NoEscape, Ransomhouse and ALPHV/BlackCat.
The reuse of leaked ransomware code is also a popular tactic among newer ransomware actors, with the widely-used leaked LockBit builder from 2022 recently seen in attacks against 22 victims by the emerging SafePay ransomware gang.
