CyberVolk: Indian Hacktivist Collective Engages in Ransomware Attacks
/ 3 min read
Quick take - CyberVolk, a hacktivist collective based in India with pro-Russia inclinations, has emerged since May 2024, claiming responsibility for various ransomware attacks on global public and government entities while developing its own Ransomware-as-a-Service model and adapting its tactics in response to the evolving cybercrime landscape.
Fast Facts
- CyberVolk, a pro-Russia hacktivist collective from India, emerged in May 2024 and has conducted multiple ransomware attacks targeting global public and government entities.
- The group operates a Ransomware-as-a-Service (RaaS) model, utilizing a shared codebase with other ransomware groups like AzzaSec and DoubleFace, and has developed its own ransomware families, including HexaLocker and Parano.
- CyberVolk employs various malware tools, including DDoS attacks, to disrupt operations opposing Russian interests, and their ransomware is based on leaked AzzaSec source code, featuring advanced encryption methods.
- The collective has connections with other hacktivist groups and has launched specific campaigns, such as “#OpJP,” targeting organizations in Japan, while also venturing into infostealer malware development.
- In November 2024, CyberVolk faced a setback with a ban from Telegram, leading to a shift in communication to the X platform, complicating tracking efforts for cybersecurity professionals.
CyberVolk: The Pro-Russia Hacktivist Collective
CyberVolk, also known by the alias GLORIAMIST, is a hacktivist collective based in India. The group has demonstrated pro-Russia inclinations and has claimed responsibility for several ransomware attacks since emerging in its current form in May 2024. These attacks occurred between June and October 2024, targeting a variety of public and government entities globally. CyberVolk’s primary objective appears to be exploiting geopolitical tensions, aligning its activities with the interests of the Russian government.
Ransomware Operations and Tools
SentinelLabs has identified a shared codebase between CyberVolk and other ransomware groups, including AzzaSec and DoubleFace. Notably, CyberVolk has developed its own Ransomware-as-a-Service (RaaS) model since June 2024, promoting various ransomware families such as HexaLocker and Parano. The group has shown adaptability by utilizing a range of existing malware, enhancing their capabilities through modifications. They employ tools like DDoS alongside ransomware attacks to disrupt operations that oppose Russian interests.
CyberVolk’s ransomware is primarily based on the leaked source code of AzzaSec, which operated under a RaaS model until its disbandment in August 2024. The ransomware payloads are written in C++ and incorporate various encryption algorithms, including AES, RSA, and ChaCha20-Poly1305, even utilizing quantum-resistant methods. Ransom payments are typically accepted in Bitcoin (BTC) and Tether (USDT), with amounts frequently set at $1000. The decryption process includes a timer set to five hours, during which victims are pressured to comply.
Campaigns and Connections
The collective has launched specific campaigns, such as “#OpJP,” targeting organizations in Japan, including the Japan Foundation and the Japan Meteorological Agency. CyberVolk has connections with other hacktivist groups, including LAPSUS$, Anonymous, and NONAME057(16). In addition to ransomware, CyberVolk has ventured into developing infostealer malware, webshells, and tools like the CyberVolk Stealer, which collects sensitive data and exfiltrates it via Discord. A newly announced webshell allows for file management on compromised servers.
The hacktivist landscape is characterized by volatility and infighting, with rapid shifts in threat dynamics. In early November 2024, CyberVolk and its affiliates faced a significant setback when they were banned from Telegram, prompting a shift in their communication to the X platform. This mass banning was reportedly due to internal conflicts and external pressures, complicating tracking and monitoring efforts for cybersecurity professionals.
Overall, CyberVolk has established itself as a notable player in the cybercrime ecosystem, continually evolving its tactics and methodologies in response to both opportunities and challenges within the landscape.
Original Source: Read the Full Article Here
