CyberVolk/GLORIAMIST, an Indian hacktivist group with pro-Russia affiliations, conducted multiple ransomware attacks between June and October 2024, targeting various organizations.
When it comes to launching and rationalizing cyberattacks against public and government targets, this and other similar groups take advantage of geopolitical tensions in order to align themselves with the goals of the Russian government.
CyberVolk, AzzaSec, and DoubleFace ransomware groups share a common codebase and are interconnected with tools and promoted ransomware families like HexaLocker and Parano, indicating a complex and collaborative threat landscape.
Hacktivist groups are highly unstable, frequently experiencing internal conflicts, threats, and exaggerated political claims, which leads to frequent shifts in their structure and the overall threat landscape.
It has emerged as a significant threat, leveraging DDoS attacks, ransomware, and alliances with groups like LAPSUS$ and NONAME057(16) to target various entities, exploiting current geopolitical tensions to justify its cyber operations.
AzzaSec, a pro-Russia hacktivist group, leaked its Windows ransomware source code in June 2024, enabling other aligned groups like CyberVolk to adopt and modify it for their own malicious activities.
The group initially used AES for encryption and SHA512 for key generation but later upgraded to a more robust encryption scheme involving ChaCha20-Poly1305, AES, RSA, and quantum-resistant algorithms.
CyberVolk ransomware encrypts files with the .CyberVolk extension displays a 5-hour timer on the payment screen, demands a $1000 ransom in BTC or USDT, and drops a ransom note with contact details, where the ransom timer is controlled by a time.dat file.
It has been actively targeting Japanese organizations, including critical infrastructure providers like the Japan Meteorological Agency, by leveraging their custom ransomware, CyberVolk, and setting a 5-hour ransom timer to pressure victims into paying.
The source code for Invisible ransomware has been leaked, revealing its core functionalities, and it utilizes AES-256 for file encryption and RSA-2048 for key wrapping. The ransomware enforces a 5-hour countdown timer and terminates specific processes to hinder recovery attempts.
HexaLocker, a Golang-based ransomware, emerged in July 2024, linked to LAPSUS$, which targets Windows systems, employs advanced evasion techniques, and has been actively developed and promoted within the CyberVolk community.
Despite its recent shutdown announcement, the release of its source code and infrastructure raises concerns about potential future threats and the proliferation of its capabilities.
According to Sentinel Labs, CyberVolk and other hacktivist groups were banned from Telegram in early November 2024, likely due to malicious reporting and threats, prompting a migration to the X platform.
Recent reports indicate that a former member of AzzaSec and Doubleface is exploiting Telegram’s ToS to shut down hacktivist channels through extortion threats, likely motivated by the platform’s decreasing reliability and increased surveillance.
CyberVolk’s rapid adaptation of various ransomware tools, including AzzaSec Ransom, Diamond RW, LockBit, and Chaos, highlights the dynamic nature of hacktivist groups.
As cybersecurity teams struggle to keep up with a threat landscape that is both complex and constantly shifting, this evolution, which is fueled by shifting alliances and tool sharing, presents significant challenges for them.
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Cl0p Ransomware Exfiltration Tactics Expose Flaws to Remote Code Execution")
