CyberVolk Ransomware Attacking Windows System in Critical Infrastructure and Scientific Institutions

CyberVolk ransomware first emerged in May 2024, rapidly evolving into a sophisticated threat aimed at government agencies and critical infrastructure in countries perceived as hostile to Russian interests.

Leveraging a dual-layer symmetric encryption process, this malware has inflicted significant operational disruptions on scientific institutions and public services across Japan, France, and the United Kingdom.

The group behind the attacks communicates exclusively via Telegram, issuing demands of $20,000 in Bitcoin and warning that any attempt to recover encrypted files will result in data destruction.

Initial infection typically occurs through targeted phishing campaigns or compromised administrative credentials, allowing the ransomware to execute under standard user privileges before relaunching with elevated rights.

ASEC analysts identified that once administrative access is obtained, the malware systematically excludes system-critical directories and files by matching predefined path strings such as “Windows” and “Program Files”.

This exclusion ensures that essential system components remain intact, preventing unintended system crashes that could thwart ransom negotiations.

ASEC researchers noted the malware’s unique double-encryption structure, combining AES-256 in GCM mode with ChaCha20-Poly1305 to secure each file.

A 12-byte random nonce is generated for every encryption operation, but critically, this nonce is not preserved in the encrypted file’s metadata, rendering decryption virtually impossible without the original key.

Once encryption concludes, CyberVolk creates a ransom note named READMENOW.txt in the affected directory, instructing victims on payment and decryption procedures.

Despite its technical sophistication, CyberVolk ransomware exhibits a deliberate flaw in its decryption routine.

When victims enter the supplied decryption key, the malware attempts to decrypt the ChaCha20-Poly1305 layer using an incorrect nonce, causing the process to fail even with a valid key.

This “camouflage decryption” tactic misleads victims into believing they can recover data through payment, while in reality, the absence of the original nonce makes recovery unfeasible.

Infection Mechanism Deep Dive

Upon execution, CyberVolk checks its privileges and, if necessary, triggers a privilege escalation routine to gain administrator rights.

It then enumerates files across all local drives, filtering out paths containing substrings defined in an exclusion table.

The core encryption routine reads each file into memory and invokes the Go-based crypto_aes_NewCipher function followed by crypto_cipher_NewGCM to perform AES-256 GCM encryption:-

v15 = crypto_aes_NewCipher(keyPtr, 32, 32, 0, a5, ...)
v76 = crypto_cipher_NewGCM(v15, 32, ..., a5, ...)
nonce := make([]byte, v76.NonceSize())
crypto_rand_Read(nonce, v76.NonceSize(), ...)
ciphertext := v76.Seal(nil, nonce, fileData, nil)

This ciphertext is subsequently wrapped with ChaCha20-Poly1305, producing a compact payload consisting solely of encrypted data and an authentication tag.

By omitting the nonce in the stored payload, the developers guarantee that only they can perform valid decryption—though their own flawed implementation prevents even them from restoring files without manual nonce management.

The tailored infection routine, combined with sophisticated encryption layers and deliberate recovery flaws, underscores CyberVolk’s intent to maximize operational impact and victim uncertainty.

Organizations must implement off-site backups, restrict administrative access, and conduct regular recovery drills to mitigate such threats.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.