CyberVolk ransomware, which first emerged in Could 2024, has escalated its operations in opposition to authorities businesses, essential infrastructure, and scientific establishments throughout Japan, France, and the UK.
Working with pro-Russian leanings, CyberVolk particularly targets states perceived as hostile to Russian pursuits, leveraging refined encryption methods that render decryption not possible.
This text delivers a technical evaluation of CyberVolk’s encryption structure, execution circulation, and the inherent flaws that stop restoration with out backups.
CyberVolk surfaced in Could 2024, rapidly distinguishing itself by specializing in public sector targets in nations with anti-Russian insurance policies.
The group communicates by way of Telegram channels, issuing threats and ransom calls for on to victims.
Notable assaults embrace Japanese energy grids, French analysis laboratories, and British scientific consortia.
CyberVolk’s motivations seem geopolitically pushed, aligning with pro-Russian narratives by crippling the technological capabilities of adversarial states.
Upon launch below customary person privileges, the ransomware re-executes with administrator rights to achieve full system entry.
It then builds an exclusion record to keep away from destabilizing essential system directories. Paths containing substrings—resembling “Home windows,” “Program Recordsdata,” and “ProgramData”—are omitted from encryption to take care of system stability and allow persistence after reboot.
Encryption Exclusions
CyberVolk excludes information already bearing its customized extension and system folders to forestall redundant operations and reinfection.
Home windows.
Program Recordsdata.
ProgramData.
CyberVolk.
The ransomware employs a two-tiered symmetric encryption scheme utilizing AES-256 GCM and ChaCha20-Poly1305.
A single symmetric key’s generated at course of initialization and utilized uniformly throughout all goal information. Every file encryption begins with a 12-byte nonce produced by crypto_rand_Read().
This nonce ensures distinctive ciphertexts even for equivalent plaintexts. File contents are first encrypted below AES-256 GCM, producing each ciphertext and an authentication tag, earlier than being double-encrypted utilizing ChaCha20-Poly1305.
File Construction Modifications
Put up-encryption information retain solely encrypted knowledge and the ChaCha20-Poly1305 authentication tag; no nonce or key derivation metadata is saved alongside the ciphertext. This omission makes offline decryption unachievable.
Upon completion of encryption, the ransomware generates a ransom be aware named READMENOW.txt within the execution listing.
A desktop background change and be aware immediate instruct victims to enter a hard-coded decryption key inside three makes an attempt.
Though decryption logic is current, it incorrectly handles the nonce—failing to retrieve or apply the unique worth—leading to decryption failures.
CyberVolk’s self-developed ransomware leverages strong, double-layer symmetric encryption with randomly generated nonces which are by no means preserved, making ciphertext irrecoverable by design.
Its pro-Russian orientation and selective focusing on of anti-Russian states underscore the geopolitical dimension of its cyber assaults.
Organizations should implement stringent backup methods—sustaining offline, access-controlled copies of essential knowledge—and frequently conduct restoration drills to mitigate irreversible knowledge loss.
A holistic strategy that secures backup methods themselves is important for preserving operational continuity.
4.1. V3
Ransomware/Win.BlackLock.C5764855 (2025.06.11.03).
Ransom/MDP.Conduct.M2649 (2022.09.06.00).
Ransom/MDP.Decoy.M1171 (2016.07.15.02).
4.2. EDR
Ransom/EDR.Decoy.M2716 (2025.08.07.00).
c04e70613fcf916e27bd653f38149f71.
Discover this Story Attention-grabbing! Comply with us on LinkedIn and X to Get Extra Prompt Updates.
