CyberVolk ransomware, which first emerged in Could 2024, has escalated its operations towards authorities businesses, important infrastructure, and scientific establishments throughout Japan, France, and the UK.
Working with pro-Russian leanings, CyberVolk particularly targets states perceived as hostile to Russian pursuits, leveraging subtle encryption strategies that render decryption not possible.
This text delivers a technical evaluation of CyberVolk’s encryption structure, execution circulate, and the inherent flaws that stop restoration with out backups.
CyberVolk surfaced in Could 2024, shortly distinguishing itself by specializing in public sector targets in nations with anti-Russian insurance policies.
The group communicates through Telegram channels, issuing threats and ransom calls for on to victims.
Notable assaults embody Japanese energy grids, French analysis laboratories, and British scientific consortia.
CyberVolk’s motivations seem geopolitically pushed, aligning with pro-Russian narratives by crippling the technological capabilities of adversarial states.
Upon launch beneath commonplace consumer privileges, the ransomware re-executes with administrator rights to realize full system entry.
It then builds an exclusion checklist to keep away from destabilizing important system directories. Paths containing substrings—similar to “Home windows,” “Program Information,” and “ProgramData”—are omitted from encryption to keep up system stability and allow persistence after reboot.
Encryption Exclusions
CyberVolk excludes recordsdata already bearing its customized extension and system folders to stop redundant operations and reinfection.
Home windows.
Program Information.
ProgramData.
CyberVolk.
The ransomware employs a two-tiered symmetric encryption scheme utilizing AES-256 GCM and ChaCha20-Poly1305.
A single symmetric key’s generated at course of initialization and utilized uniformly throughout all goal recordsdata. Every file encryption begins with a 12-byte nonce produced by crypto_rand_Read().
This nonce ensures distinctive ciphertexts even for similar plaintexts. File contents are first encrypted beneath AES-256 GCM, producing each ciphertext and an authentication tag, earlier than being double-encrypted utilizing ChaCha20-Poly1305.
File Construction Adjustments
Put up-encryption recordsdata retain solely encrypted knowledge and the ChaCha20-Poly1305 authentication tag; no nonce or key derivation metadata is saved alongside the ciphertext. This omission makes offline decryption unachievable.
Upon completion of encryption, the ransomware generates a ransom be aware named READMENOW.txt within the execution listing.
A desktop background change and be aware immediate instruct victims to enter a hard-coded decryption key inside three makes an attempt.
Though decryption logic is current, it incorrectly handles the nonce—failing to retrieve or apply the unique worth—leading to decryption failures.
CyberVolk’s self-developed ransomware leverages sturdy, double-layer symmetric encryption with randomly generated nonces which can be by no means preserved, making ciphertext irrecoverable by design.
Its pro-Russian orientation and selective focusing on of anti-Russian states underscore the geopolitical dimension of its cyber assaults.
Organizations should implement stringent backup methods—sustaining offline, access-controlled copies of important knowledge—and frequently conduct restoration drills to mitigate irreversible knowledge loss.
A holistic method that secures backup techniques themselves is important for preserving operational continuity.
4.1. V3
Ransomware/Win.BlackLock.C5764855 (2025.06.11.03).
Ransom/MDP.Conduct.M2649 (2022.09.06.00).
Ransom/MDP.Decoy.M1171 (2016.07.15.02).
4.2. EDR
Ransom/EDR.Decoy.M2716 (2025.08.07.00).
c04e70613fcf916e27bd653f38149f71.
Discover this Story Attention-grabbing! Observe us on LinkedIn and X to Get Extra Immediate Updates.
