Ddos 
The created ransom note | Image: AhnLab
AhnLab researchers have released an in-depth technical analysis of the CyberVolk ransomware, a strain that has been actively targeting public institutions and critical infrastructure since May 2024. What makes CyberVolk stand out is not only its geopolitical motivation but also its unrecoverable encryption design, leaving victims with little chance of data recovery.
According to AhnLab, “The CyberVolk ransomware, which first emerged in May 2024, has been launching attacks on public institutions and key infrastructures of various countries, posing a continuous threat.” The group has a clear pro-Russian stance, primarily focusing on countries perceived as hostile to Russian interests.
The report notes that “CyberVolk is a ransomware group that emerged in May 2024. It is believed to be pro-Russia and targets public institutions of countries deemed hostile to Russia’s interests.” Recently, the group claimed responsibility for attacks against infrastructure and scientific institutions in Japan, France, and the UK, while using Telegram as its main communication channel.
Once executed, the ransomware escalates its privileges by restarting with administrator rights. To maintain system stability, CyberVolk avoids encrypting certain directories such as Program Files and ProgramData. Files already encrypted with the extension .CyberVolk are also excluded, ensuring that encryption is not redundantly applied.
CyberVolk employs a layered encryption strategy that makes decryption effectively impossible. The malware first uses AES-256 in GCM mode, followed by ChaCha20-Poly1305 encryption.
AhnLab explains: “During encryption, a 12-byte random value known as a nonce is generated… The file content is then encrypted using AES-256 GCM mode. The encrypted file content is then further encrypted using ChaCha20-Poly1305.”
However, there is a critical flaw in the ransomware’s decryption routine. “During decryption, the correct Nonce value used in encryption must be used. However, an incorrect Nonce value is used in this case, causing the decryption to fail.” Since the nonce is never stored, recovery of files becomes mathematically impossible, even with the right key.
After encryption, CyberVolk drops a ransom note named READMENOW.txt in the execution directory. Victims are warned that their files are locked and are given three attempts to enter the correct decryption key. However, as the analysis highlights, even entering the right key does not result in successful decryption due to the flawed implementation.
Related Posts:
- CyberVolk: From Hacktivism to Ransomware – Researcher Exposes New Threat
- CyberVolk: The Hacktivist Collective Blurring Lines Between Activism, Ransomware, and Geopolitics
- CyberVolk Ransomware: A New and Evolving Threat to Global Cybersecurity
- Impossible Recovery? Beating Akira Ransomware with GPUs
- Dark Skippy: New Threat Steals Secret Keys from Signing Devices
Donate