CyberVolk ransomware, which first emerged in May 2024, has escalated its operations against government agencies, critical infrastructure, and scientific institutions across Japan, France, and the United Kingdom.
Operating with pro-Russian leanings, CyberVolk specifically targets states perceived as hostile to Russian interests, leveraging sophisticated encryption techniques that render decryption impossible.
This article delivers a technical analysis of CyberVolk’s encryption architecture, execution flow, and the inherent flaws that prevent recovery without backups.
CyberVolk surfaced in May 2024, quickly distinguishing itself by focusing on public sector targets in nations with anti-Russian policies.
The group communicates via Telegram channels, issuing threats and ransom demands directly to victims.
Notable attacks include Japanese power grids, French research laboratories, and British scientific consortia.
CyberVolk’s motivations appear geopolitically driven, aligning with pro-Russian narratives by crippling the technological capabilities of adversarial states.
Upon launch under standard user privileges, the ransomware re-executes with administrator rights to gain full system access.
It then builds an exclusion list to avoid destabilizing critical system directories. Paths containing substrings—such as “Windows,” “Program Files,” and “ProgramData”—are omitted from encryption to maintain system stability and enable persistence after reboot.
Encryption Exclusions
CyberVolk excludes files already bearing its custom extension and system folders to prevent redundant operations and reinfection.
Windows.
Program Files.
ProgramData.
CyberVolk.
The ransomware employs a two-tiered symmetric encryption scheme using AES-256 GCM and ChaCha20-Poly1305.
A single symmetric key is generated at process initialization and applied uniformly across all target files. Each file encryption begins with a 12-byte nonce produced by crypto_rand_Read().
This nonce ensures unique ciphertexts even for identical plaintexts. File contents are first encrypted under AES-256 GCM, producing both ciphertext and an authentication tag, before being double-encrypted using ChaCha20-Poly1305.
File Structure Changes
Post-encryption files retain only encrypted data and the ChaCha20-Poly1305 authentication tag; no nonce or key derivation metadata is stored alongside the ciphertext. This omission makes offline decryption unachievable.
Upon completion of encryption, the ransomware generates a ransom note named READMENOW.txt in the execution directory.
A desktop background change and note prompt instruct victims to input a hard-coded decryption key within three attempts.
Although decryption logic is present, it incorrectly handles the nonce—failing to retrieve or apply the original value—resulting in decryption failures.
CyberVolk’s self-developed ransomware leverages robust, double-layer symmetric encryption with randomly generated nonces that are never preserved, making ciphertext irrecoverable by design.
Its pro-Russian orientation and selective targeting of anti-Russian states underscore the geopolitical dimension of its cyber assaults.
Organizations must implement stringent backup strategies—maintaining offline, access-controlled copies of critical data—and regularly conduct recovery drills to mitigate irreversible data loss.
A holistic approach that secures backup systems themselves is vital for preserving operational continuity.
4.1. V3
Ransomware/Win.BlackLock.C5764855 (2025.06.11.03).
Ransom/MDP.Behavior.M2649 (2022.09.06.00).
Ransom/MDP.Decoy.M1171 (2016.07.15.02).
4.2. EDR
Ransom/EDR.Decoy.M2716 (2025.08.07.00).
c04e70613fcf916e27bd653f38149f71.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
