News
CyberVolk - A deep dive into the hacktivists, tools and ransomware fuelling pro-Russian cyber attacks
November 2024 by SentinelLabs
CyberVolk is a politically motivated hacktivist collective which launched its own Ransomware-as-a-Service (RaaS) in June 2024. The group uses both DDoS and ransomware attacks in its efforts to undermine and disrupt the operations of those opposed to Russian interests.
SentinelLabs provides an overview of a number of ransomware families within the context of CyberVolk’s operations, breaking down the increasingly blurred lines between tools and group affiliations. Understanding the shifting nature of dynamic hacktivist collectives like CyberVolk can help organisations prepare and fortify their defences.
Background
CyberVolk has become an increasingly prominent player within the cybercrime ecosystem, adopting and repurposing existing commodity malware to advance its causes. Highly-skilled actors within the collective expand and revise such tools, effectively making them more sophisticated as they move through various hands.
The CyberVolk collective is a prime example of how readily threat actors can access and deploy dangerous ransomware builders such as AzzaSec, Diamond, LockBit, Chaos and others. This adaptability makes the group highly dynamic and increasingly challenging to track.
CyberVolk is a pro-India/pro-Russia “hacktivist” group that has been actively targeting entities in multiple countries. In its current form, it emerged during May 2024. CyberVolk exploits current geopolitical issues, focused on launching and justifying its attacks on public and government entities.
While the group claims alliances with other broad groups such as LAPSUS$, Anonymous, and the Moroccan Dragons, it has also been associated with NONAME057(16) and other RU-friendly, DDoS-focused, groups. However, CyberVolk has also embraced ransomware as a tool to further its cause, with self-branded ransomware payloads as well as alliances with associated ransomware families, namely Doubleface, HexaLocker, and the Parano family.
Key points:
• CyberVolk/GLORIAMIST is a hacktivist collective originating in India with pro-Russia leanings. Between June and October 2024, CyberVolk claimed responsibility for multiple ransomware attacks.
• The main objective of CyberVolk and related groups is to leverage geopolitical issues to launch and justify attacks on public and government entities, primarily in the service of Russian government interests.
• SentinelLabs has observed a shared codebase used by CyberVolk, AzzaSec and DoubleFace’s ransomware. Additionally, CyberVolk has promoted other ransomware families like HexaLocker and Parano. These groups and the tools they leverage are all closely intertwined.
• These hacktivist groups are extremely dynamic and volatile. In-fighting, threats, and inflated political-posturing are common, leading to fragmentation and the rapid re-shaping of the hacktivist threat landscape.
Conclusion
As groups like CyberVolk leverage openly-available commodity tools with high potential for causing damage, they continue to add more layers of complexity, expanding and revising the tools as they are passed around within the collective. Ransomware operations will only get muddier and increase how much cybersecurity teams will need to monitor in order to stay up to date on the happenings within the cybercrime ecosystem.
