Security researchers from ThreatMon have uncovered a relatively new hacker group called CyberVolk. Initially detected in July 2024 quickly gained notoriety for its advanced features and rapid evolution.
CyberVolk made its debut in the shadows of the dark web, and started evolving as a Ransomware-as-a-sercice where it involved in a wide array of cybercrime activities and has official accounts on platforms like Telegram and X.
The initial variant of CyberVolk Ransomware used the AES encryption algorithm to lock down victims’ files. However, the new upgraded variant incorporated stronger cryptographic algorithms, including ChaCha20-Poly1305, AES, and even quantum-resistant technologies. These enhancements make it nearly impossible to decrypt without paying the ransom, even for those equipped with quantum computing resources.
The ransomware has the ability to operate without connecting to the C2 server. This autonomous encryption process makes the malware harder to detect and block, and the attackers have added a severe penalty for failed recovery attempts. If the wrong decryption key is entered, the ransomware automatically deletes the encrypted data, leaving victims with little recourse but complying with ransom demands.
There are unique features that come with this ransomware. Once executed, the ransomware blocks access to critical system tools like Task Manager, preventing users from terminating the encryption process. It will completes encryption of all files within minutes and then presents the victim with a ransom demand of $1,000. Victims are also given a stark deadline: failure to pay within five hours results in the permanent destruction of their data.
The malware employs advanced tactics to evade detection, including debugger detection and runtime environment checks. It is also capable of spreading like a worm across connected devices and network shares, meaning that a single infected machine can quickly compromise an entire network.
Eventhough with its enhancements, it comes with drawbacks too. The ransomware blocks Task Manager nut eventually it does not block PowerShell, which allows skilled users to stop the encryption process using specific commands. Also the ransomware’s five-hour countdown timer can be altered by editing the “time.dat” file located in the user’s system, potentially giving cybersecurity teams more time to mitigate the attack.
As per the reports, the threat actors have earned over $20,000 from ransomware attacks, signaling a troubling rise in the financial impact of their operations.
CyberVolk Ransomware is a new and evolving threat to the cyber landscape. Its ability, sophistication, encryption, and evasion techniques make it a formidable adversary.
It is recommended that regular software updates, robust backup strategies, and employee education on cybersecurity hygiene minimize the risk of ransomware attacks.
Indicators of Compromise
- de0b74917fe24c2b38e2d1172b7352f88bf8b3df64b6d44ca5f317db85aeb 324
- 70257c48ed8e1a3b57a7d6a5bed17837f60d630bdda0b22b048a3721569f e038
- 7d294c60c44b8b776c45e46e904a2de70ff4820e7e7863adb9f191c6554f 9fb5
- 74b5a0ed14c7b8e26d51d4b9242e73686bad2e63cd11d9cbdb52e08fa341 58c
