CyberVolk ransomware first emerged in Could 2024, quickly evolving into a classy risk geared toward authorities businesses and demanding infrastructure in international locations perceived as hostile to Russian pursuits.
Leveraging a dual-layer symmetric encryption course of, this malware has inflicted important operational disruptions on scientific establishments and public companies throughout Japan, France, and the UK.
The group behind the assaults communicates solely through Telegram, issuing calls for of $20,000 in Bitcoin and warning that any try and get better encrypted recordsdata will lead to information destruction.
Preliminary an infection sometimes happens via focused phishing campaigns or compromised administrative credentials, permitting the ransomware to execute beneath customary consumer privileges earlier than relaunching with elevated rights.
ASEC analysts recognized that when administrative entry is obtained, the malware systematically excludes system-critical directories and recordsdata by matching predefined path strings corresponding to “Home windows” and “Program Recordsdata”.
CyberVolk execution stream (Supply – ASEC)
This exclusion ensures that important system parts stay intact, stopping unintended system crashes that might thwart ransom negotiations.
ASEC researchers famous the malware’s distinctive double-encryption construction, combining AES-256 in GCM mode with ChaCha20-Poly1305 to safe every file.
A 12-byte random nonce is generated for each encryption operation, however critically, this nonce will not be preserved within the encrypted file’s metadata, rendering decryption just about not possible with out the unique key.
As soon as encryption concludes, CyberVolk creates a ransom observe named READMENOW.txt within the affected listing, instructing victims on fee and decryption procedures.
Generated ransom observe (Supply – ASEC)
Regardless of its technical sophistication, CyberVolk ransomware reveals a deliberate flaw in its decryption routine.
When victims enter the equipped decryption key, the malware makes an attempt to decrypt the ChaCha20-Poly1305 layer utilizing an incorrect nonce, inflicting the method to fail even with a legitimate key.
Camouflage decryption progress (Supply – ASEC)
This “camouflage decryption” tactic misleads victims into believing they will get better information via fee, whereas in actuality, the absence of the unique nonce makes restoration unfeasible.
An infection Mechanism Deep Dive
Upon execution, CyberVolk checks its privileges and, if needed, triggers a privilege escalation routine to achieve administrator rights.
It then enumerates recordsdata throughout all native drives, filtering out paths containing substrings outlined in an exclusion desk.
The core encryption routine reads every file into reminiscence and invokes the Go-based crypto_aes_NewCipher operate adopted by crypto_cipher_NewGCM to carry out AES-256 GCM encryption:-
v15 = crypto_aes_NewCipher(keyPtr, 32, 32, 0, a5, …)
v76 = crypto_cipher_NewGCM(v15, 32, …, a5, …)
nonce := make([]byte, v76.NonceSize())
crypto_rand_Read(nonce, v76.NonceSize(), …)
ciphertext := v76.Seal(nil, nonce, fileData, nil)
This ciphertext is subsequently wrapped with ChaCha20-Poly1305, producing a compact payload consisting solely of encrypted information and an authentication tag.
By omitting the nonce within the saved payload, the builders assure that solely they will carry out legitimate decryption—although their very own flawed implementation prevents even them from restoring recordsdata with out handbook nonce administration.
The tailor-made an infection routine, mixed with subtle encryption layers and deliberate restoration flaws, underscores CyberVolk’s intent to maximise operational influence and sufferer uncertainty.
Organizations should implement off-site backups, prohibit administrative entry, and conduct common restoration drills to mitigate such threats.
Increase your SOC and assist your crew defend your corporation with free top-notch risk intelligence: Request TI Lookup Premium Trial.
