detect.fyi Open in urlscan Pro
162.159.153.4  Public Scan

Form analysis
0 forms found in the DOM

Text Content

Open in app

Sign up

Sign in

Write


Sign up

Sign in


Mastodon


CYBERVOLK RANSOMWARE


OR THE WAR IN THE SHADOWS OF PRO-RUSSIAN HACKER GROUPS

SIMKRA

·

Follow

Published in

Detect FYI

·
10 min read
·
Jul 28, 2024

103



Listen

Share

CyberVolk is a hacktivist group that openly announce its allegiance to Russia.
They are politically motivated and deployed a new ransomware variant in July
2024. Currently, a campaign is underway against Spain by CyberVolk and other
hacktivists in the environment of Russian actors in the course of the arrest of
3 members of the group noName57(16), who are mainly known for attacking
countries that support NATO and the West. I have already written an article on
their DDoS campaigns in the context of targeting the Danish government.


Angry terrorists are declaring vendetta against Spanish authorities — netscout

CyberVolk is only one of over 70 groups that have joined forces to take revenge
on the arrest of their members in the “holy war” against Spain. Although the
current DDoS attacks in Spain have indeed increased, they are still below the
number of the normal amounts of attacks on Spain since the 3 members were
detained. Nevertheless, 27 institutions have been officially affected by
CyberVolk’s attacks since their self-proclaimed holy act of aggression against
the supposed enemy. We find the information on the website of netscout with a
detailed analysis and characteristics of the attacks.

> Since the hacktivist call to arms, the number of DDoS attacks against Spain
> have thus far been within the normal bounds of attacks seen against the
> country. In fact, they have been lower in July than at nearly any other time
> in 2024. As of the time of this writing, July 23 is on track to continue the
> upward trajectory started on the 22nd (Figure 2) and we may see the highest
> point of attacks in all of July, but still quite below surges seen earlier in
> the year. It’s almost certainly true that this most recent spike is a direct
> tie to the retaliation of NoName057(16) and other hacktivist groups. Should we
> see a dramatic increase in the number of attacks, we will amend this blog with
> additional details and characteristics of the attacks.

The aim of this article is to take a closer look at the group and its latest
ransomware as well as to use possible technical advantages from the findings
gained.


OSINT AS STARTING POINT

First, let’s take a look at the ransomware, which has been published recently
and could shed light on the aggressor’s ecosystem and infrastructure. The file
key_gen.zip for e.g with the SHA256

ed6c889c833ba5a210bd5c535564ef185b014a34397bbb8b91c7be890f16fe88


Elite Hackers CyberVolk leaked by MalwareHunterTeam

And Fox_threatintel following post for a hacked domain by CyberVolk
http://www[.]integradoradeservicios[.]com[.]mx



Fox_threatintel was able to connect via the L.top4top[.]io that it loads a jpg
and could be another reliable information about the identity of some hacker. He
could find out, that the c3ber byt3s group allegedly use the same ransomware
crypter like mentioned on the blog. I’ve translated the website with following
information:

> If you do not see images here, use a VPN.
> 
> Ransomware THE DIGEST “CRYPTO-RANSOMWARE”
> 
> Ransomware (ransomware virus). Protection against ransomware programs. How to
> remove a ransomware virus?
> Ransomware is a malicious program that encrypts files and demands a ransom
> for their decryption.
> This site is a DIGEST and PRIMARY SOURCE of information about ransomware and
> all kinds of extortionists.
> Author’s articles, instructions for victims, recommendations for protection
> and
> prevention of the Ransomware threat.
> 
> (Move to …) Home Introduction Ransomware news List of IDs
> Ransomware Glossary Genealogy About the blog Online application Free HELP!
> Guide
> for the victim Methods of protection Complex protection Best methods of
> protection Help
> site Ransomware FAQ How to remove the encryptor and restore data?
> Anti-Ransomware decryptors Do you need help? Freeware and Mining Contact
> Terms of Use Submit a File for Analysis Order a Test Decryption
> Drive-by Downloads 5 Myths About Windows Security Protecting Your Organization
> from
> Ransomware Cost-Loss Analysis from RW Protecting RDP from RW Protecting Remote
> Work
> from RW Protecting Backups from RW Conditions for Justification and
> Rehabilitation How to Recognize
> Fraud ▼
> 
> MONDAY, JULY 1, 2024
> 
> CYBERVOLK
> 
> CYBERVOLK RANSOMWARE
> 
> ALIASES: CYBERBYTES, CYB3R BYTES
> 
> (RANSOMWARE) (ORIGINAL SOURCE IN RUSSIAN)
> TRANSLATION INTO ENGLISH
> 
> This crypto-ransomware encrypts user data using a combination of
> AES+SHA-512+RSA-4096 algorithms, then demands a ransom $1000 in BTC to
> return files. Original name: CyberVolk. The file says: ransom.exe.
> Written in C/C++. The group calls itself CyberVolk.
> — -
> Detections:
> DrWeb -> Trojan.Encoder.39187
> BitDefender -> Trojan.GenericKD.73332128
> ESET-NOD32 -> A Variant Of Win32/Filecoder.OQW
> Kaspersky -> HEUR:Trojan-Ransom.Win32.GenericCryptor.gen
> Malwarebytes -> Trojan.FileCryptor
> Microsoft -> Ransom:Win32/CyberVolk.PA!MTB
> Rising -> Ransom.Agent!8.6B7 (CLOUD)
> Tencent -> ***
> TrendMicro -> Ransom_CyberVolk.R002C0DG524
> — -
> 
> © Genealogy: kinship is being revealed >> CyberVolk
> 
> Website “ID Ransomware” identifies this as CyberVolk since July 5, 2024.
> 
> Identification information
> 
> This ransomware was active in early July 2024. It targets
> English-speaking users and can be distributed worldwide.
> 
> The encrypted files are appended with the extension: .cvenc
> 
> The ransom note is called: CyberVolk_ReadMe.txt
> 
> The ransom note content:
> 
> Greetings.
> All your files have been encrypted by CyberVolk ransomware.
> Please never try to recover your files without decryption key which I give you
> after pay.
> 
> They could be disappeared�
> You should follow my words.
> Pay $1000 BTC to below address.
> My telegram: @hacker7
> Our Team: https://t[.]me/cubervolk
> We always welcome you and your payment.
> 
> Ransom demands are also written on the lock screen, and the desktop wallpaper
> is changed to your own with the same cyber wolf.
> 
> ✋ Warning! New identification elements: extensions, email, ransom notes
> can be found at the end of the article, in the updates. They may differ from
> the first
> 
> version.
> 
> Technical details + IOC
> 
> Can be distributed by hacking through an unprotected RDP configuration, with
> 
> email spam and malicious attachments, deceptive downloads, botnets,
> exploits, malware, web injections, fake updates,
> repackaged and infected installers. See also “The main ways of
> 
> spreading crypto-ransomware” on the blog introductory page.
> 
> ✋ Warning! If you neglect comprehensive antivirus protection of the Internet
> Security or Total Security class, then at least make backup copies of
> important files using the 3–2–1 method.
> 
> List of file types that are subject to encryption:
> These are MS Office documents, OpenOffice, PDF, text files, databases,
> photos, music, video, image files, archives, etc.
> 
> Files related to this Ransomware:
> CyberVolk_ReadMe.txt — the name of the ransom demand file;
> tmp.bmp — an image that replaces the desktop wallpaper;
> time.dat — a special file with numbers;
> ransom.exe — a random name of a malicious file.
> 
> Locations:
> \Desktop\ ->
> \User_folders\ ->
> \%TEMP%\ ->
> C:\Users\admin\AppData\Local\Temp\Rar$DRb3416.36390\ransom.exe
> C:\Users\admin\AppData\Roaming\time.dat
> C:\Users\admin\AppData\Local\Temp\tmp.bmp
> 
> Registry entries associated with this Ransomware:
> See analysis results below.
> 
> Mutexes:
> See analysis results below.
> 
> Network connections and links:
> Email: -
> Telegram: @hacker7
> Telegram: hxxxs://t[.]me/hackerk7
> Telegram: hxxxs://t[.]me/cubervolk
> 
> BTC: bc1q3c9pt084cafxfvyhn8wvh7mq04rq6naew0mk87
> 
> See below in updates for other addresses and contacts.
> 
> Analysis results:
> IOC: VT, IA, TG, AR
> MD5: 648bd793d9e54fc2741e0ba10980c7de
> SHA-1: f5d0c94b2be91342dc01ecf2f89e7e6f21a74b90
> SHA-256: 102276ae1f518745695fe8f291bf6e69856b91723244881561bb1a2338d54b12
> Vhash: 086046655d1567z90058hz12z1bfz
> Imphash: f032b4cc0eb4f2eac3f528efe4c7396


Cy3ber Bytes, CyberBytes and CyberVolk correlation

Fox also reached out to one of the affiliates, to let him know that he is a
blackhat and got an answer which shows how careless some of them communicate.


hackerk1 leakage by Fox_threatintel


WHAT DO WE KNOW ABOUT THE FILES AND INFRASTRUCTURE?

First of all, I’ve found some main files that communicate with 9 German, US
servers and 2 Dutch server, diving deeper into the world of IOC with the Virus
Total Graph:


EXECUTION PARENTS ARE:

The file all.zip with the SHA256 hash
d42cbaef106015b444ed9c5d5e64332bf089cbd09bb26554885e64d42b895e0a

ransom.exe with the SHA256
102276ae1f518745695fe8f291bf6e69856b91723244881561bb1a2338d54b12

key_gen.zip with the SHA256
ed6c889c833ba5a210bd5c535564ef185b014a34397bbb8b91c7be890f16fe88

And the droped CyberVolk_ReadMe.txt detected as JavaScript with the SHA256
894bc59f5227b4d545412b2a2897367d7ac88090c86f5a1728bf733e70bd93ee belongs to
all.zip, we see here different time stamps in the graph between 01.07.2024 and
20.07.2024.




VIRUSTOTAL GRAPH


VIRUSTOTAL GRAPH

Virustotal Graphwww.virustotal.com




VIRUSTOTAL GRAPH


VIRUSTOTAL GRAPH

Virustotal Graphwww.virustotal.com



Another file with main.exe and the SHA256
60e2a4abcb80b43e6d2f04ea9a45a84b0a2fb0d238ae1a28eff6635527058362 belongs to the
version of 20.07.2024

The German server are all in the same subdomain and have following IP:

104[.]126[.]37[.]129

104[.]126[.]37[.]131

104[.]126[.]37[.]136

104[.]126[.]37[.]155

104[.]126[.]37[.]161

104[.]126[.]37[.]163

104[.]126[.]37[.]179

104[.]126[.]37[.]185

104[.]126[.]37[.]186

As a matter of fact, the name of the group raises the question of whether there
may be German affiliates.

The US server are:

150[.]171[.]27[.]10

150[.]171[.]28[.]10

204[.]79[.]197[.]203

And with the another sandbox information we can find additionally the US
EDGECAST server with the IP:

192[.]229[.]211[.]108

with the domain fp2e7a[.]wpc[.]phicdn[.]net for the all.zip file.

For the ransom.exe within all.zip we see the domain ax-0001[.]ax-msedge[.]net.

The dutch server communicating to the ransomware are:

178[.]79[.]208[.]1

87[.]248[.]202[.]1

In OSINT, the found IP server 192[.]229[.]211[.]108, a US EDGECAST server we can
see older campaigns from Lockbit and Play, Cobalt Strike beacon within
collections and other campaigns. In the latest whois from 08.01.2024 we also see
after the registration interesting campaigns like 8base/Phobos, Neshta malware
and a campaign impacting the Azure Cloud environment.


WHAT ABOUT THE LANGUAGE THE AFFILIATES USE?

The semantics points to American origin or a twisted psychology of words, when
the threat actors speak of in shadow we trust instead of in god we trust and
further it says in their slogan in silence we strike. However, what is supposed
to be quiet about a DDoS campaign is not really conclusive to me.


In Shadow We Trust, In Silence We Strike — CyberVolk in the darknet


DEEP DIVE INTO THE RANSOMWARE

Now let’s get to the ransomware itself, it has the timestamp 01.07.2024 for the
ransom.exe, 32bit word machine characteristics.



The ransomware is written in C++. Various files are dropped, which unfortunately
were not detected by any AV and should definitely be integrated into a detection
as an IOC in combination with the essential files for the ransomware mentioned
above. These are as follows:

time.dat with the SHA256
f837bce807410ac6f8b52fcee81a1ffaa2d7f77755861f2e6f2b482bff0f6fe9

rsa.txt with the SHA256
14c93bd3e40fa06333ac98f54f892e90a1f59c4d5d3beb0b3b76746e85f904d4

main.exe with the SHA256
60e2a4abcb80b43e6d2f04ea9a45a84b0a2fb0d238ae1a28eff6635527058362

sysmon.xml with the SHA256
0591e2c04e7fdb740bc526d41a7de78831cd55bb7c6eae57f146eb13faf98051

ransom.exe with the SHA256
102276ae1f518745695fe8f291bf6e69856b91723244881561bb1a2338d54b12

tmp.bmp with the SHA256
62f39e3ac5a3badb3d223f8cad5e40d7c1ca6476dd6e2ada861cc24ad8e5feee


Undetected tmp.bmp also seen in VT as 104.bmp

In addition, the ransomware also deletes various files, including the ransomware
itself.


BABUK CODE WITHIN THE RANSOMWARE?

I found a hint that the CyberVolk ransomware could contain code from Babuk.


Babuk leaks its code source online from here several groups were using the code

> On September 3rd in 2021, greyhats researchers (operating under the
> vx-underground name) reported that a Russian-speaking cybercriminal, who is
> believed to be one of the developers of the Babuk gang, decided to leak the
> complete Babuk source code for Windows, ESXI, NAS versions. The youngster
> justified this sharing because he was diagnosed with terminal cancer at age
> 17, but this is highly questionable and probably fake.
> 
> This most probably is yet another betrayal and backstabbing in Babuk’s short
> history. Indeed, the Babuk gang members splintered after the attack on the
> Washington DC’s Metropolitan Police Department (MPD). The ‘Admin’ allegedly
> wanted to leak the data to gain publicity, while the other gang members were
> against it. After the dispute, the original Admin was banned from most
> prominent forums and formed the RAMP (Ransom Anon Market Place) forum because
> of the ban of RaaS in most prominent forums. The rest of the team and
> affiliates launched Babuk V2, to continue attackings victims through
> ransomware to this day.
> 
> The source code was leaked on a popular Russian-speaking hacking forum and is
> legitimate according to Emsisoft and McAfee. The leak contains everything a
> threat actor needs to create a functional ransomware executable. For instance,
> the Windows folder contains the complete source code for the Windows
> encryptor, decryptor, and what appears to be a private and public key
> generator.

My hypothesis is that it doesn’t necessarily have to be an affiliate of Babuk,
because the code was completely leaked by the ransomware group itself and, among
other things, the Rorschach ransomware also contains parts of the Babuk code and
other ransomware versions like Prometheus or Rook. I have already described an
analysis of Rorschach in this article.

As mentioned above the CyberVolk_ReadMe.txt file is recognized as a JavaScript
file and is a bitmap 640x400 with the information about the encryption, the
group and who to contact.


@ghostdoor_maldev “strikes fear into the hearts of their targets”

In the ransomware you will find following URL:

https://t[.]me/cubervolk

www[.]di-mgt[.]com[.]au


URL of the CyberVolk Ransomware


OTHER INTERESTING FINDINGS AROUND CYBERVOLK ON THE EDGECAST SERVER

In the collections, I noticed campaigns for the use of the exploit
CVE-2023–22518 for Confluence. Here, for example, the Cerber ransomware group
(also known as Hound Spider) is known for and operating also as CerberImposter.
However, I could not find any correlations between the ransomware groups. If you
should know more, you are welcome to share the information. Another one is
CVE-2023–4966 Netscaler Citrix which is used by LockBit 3.0. But both CVEs are
not actively known to be exploited by CyberVolk and are known campaigns in 2023.


CONCLUSION

CyberVolk is a hacktivist group that takes revenge in the latest campaign for
political reasons. Their language is polemical and the ransomware appears to be
a mix of its own and Babuk components. It is advisable to check the indicators
from the VT Graph and, if feasible to block the servers as well as the IOC. We
have to assume that there will continue to be attacks of this kind. Because with
the help of nonkinetic methods, politically motivated groups have the
opportunity to influence politics and society. The message in this case would be
that as soon as you arrest one of us, we will take revenge collectively. They
probably want to intimidate the Spanish authorities, which they clearly did not
succeed in. You don’t negotiate with terrorists. More arrests are likely to
follow. It also shows how careless some affiliates communicate without any fear
to be detained. What does this tell us about their psychology?





SIGN UP TO DISCOVER HUMAN STORIES THAT DEEPEN YOUR UNDERSTANDING OF THE WORLD.


FREE



Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.


Sign up for free


MEMBERSHIP



Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app


Try for 5 $/month
Ransomware
Cybersecurity
Malware
Detection
Hacktivism


103

103



Follow



WRITTEN BY SIMKRA

450 Followers
·Writer for

Detect FYI


Follow




MORE FROM SIMKRA AND DETECT FYI

SIMKRA

in

Detect FYI


RHYSIDA RANSOMWARE AND THE DETECTION OPPORTUNITIES


ROBUST DETECTION AND ANALYTICAL SCORING COUNTERING CY-X THREAT ACTOR LIKE
RYHSIDA

Dec 10, 2023
90
1



mthcht

in

Detect FYI


THREAT HUNTING - SUSPICIOUS NAMED PIPES

Jul 22
177



mthcht

in

Detect FYI


THREAT HUNTING - SUSPICIOUS USER AGENTS


HUNTING FOR SUSPICIOUS USER AGENTS WITH SPLUNK

Jan 1
234
2



SIMKRA

in

Detect FYI


DEMYSTIFICATION 8BASE- THREAT HUNTING AND DETECTION OPPORTUNITIES


THE HONEST PENTESTER UNDER THE RADAR WHO’S MASTERMIND BIND THEM ALL

Feb 25
41


See all from SIMKRA
See all from Detect FYI



RECOMMENDED FROM MEDIUM

Neetrox

in

InfoSec Write-ups


WINDOWS EVENT IDS THAT EVERY CYBERSECURITY ANALYST MUST KNOW


UNCOVERING THREATS WITH CRITICAL WINDOWS EVENT IDS


Aug 11
203
3



Alexander Nguyen

in

Level Up Coding


THE RESUME THAT GOT A SOFTWARE ENGINEER A $300,000 JOB AT GOOGLE.


1-PAGE. WELL-FORMATTED.


Jun 1
20K
363




LISTS


TECH & TOOLS

19 stories·297 saves


MEDIUM'S HUGE LIST OF PUBLICATIONS ACCEPTING SUBMISSIONS

334 stories·3439 saves


STAFF PICKS

723 stories·1270 saves


NATURAL LANGUAGE PROCESSING

1670 stories·1252 saves


Truls TD

in

Detect FYI


DECONSTRUCTING SECURITY MONITORING ANTIPATTERNS


WELCOME BACK TO ANOTHER POST — THIS TIME WE ARE TALKING ABOUT ANTIPATTERNS. IF
YOU DON’T KNOW WHAT AN ANTIPATTERN IS, WE CAN DESCRIBE IT…

Aug 19
2



Adam Goss


CYBER THREAT INTELLIGENCE REPORT TEMPLATE (+FREE DOWNLOAD)


A CYBER THREAT INTELLIGENCE REPORT TEMPLATE SAVES YOU AND YOUR CTI TEAM VALUABLE
TIME AND EFFORT. HERE IS A FREE TEMPLATE YOU CAN USE!


Aug 26
31



Gorka Sadowski


SOAR IS DEAD, LONG LIVE THE SOAR


GARTNER RECENTLY PUBLISHED THEIR 2024 SECURITY OPERATIONS HYPE CYCLE. IT PEGS
SOAR (SECURITY ORCHESTRATION, AUTOMATION AND RESPONSE) IN THE…

Aug 7
114



Abhay Parashar

in

The Pythoneers


17 MINDBLOWING PYTHON AUTOMATION SCRIPTS I USE EVERYDAY


SCRIPTS THAT INCREASED MY PRODUCTIVITY AND PERFORMANCE


Aug 25
7.2K
69


See more recommendations

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams


To make Medium work, we log user data. By using Medium, you agree to our Privacy
Policy, including cookie policy.