Saturday, December 7, 2024
HomeCyber CrimeResearchers Detailed Tools Used By Hacktivists Fueling Ransomware Attacks

Researchers Detailed Tools Used By Hacktivists Fueling Ransomware Attacks

Published on

SIEM as a Service

CyberVolk, a politically motivated hacktivist group, has leveraged readily available ransomware builders like AzzaSec, Diamond, LockBit, and Chaos to launch DDoS and ransomware attacks against targets opposing Russian interests. 

The highly skilled members of the group modify and improve these tools, which results in an increase in their level of sophistication and makes it more difficult to track them down. 

June 2024 Release of AzzaSec Ransomware

A pro-Russia hacktivist group emerged in May 2024, leveraging the AzzaSec ransomware code, leaked in June 2024, which was originally developed by a pro-Russia, anti-Israel, and anti-Ukraine group and was adopted and modified by various aligned groups, including CyberVolk.

- Advertisement - SIEM as a Service

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar

The operations of CyberVolk consist of a variety of distributed denial of service attacks, defacements, and ransomware, and they frequently target entities in countries that are in alliance with Russia. 

CyberVolk wallpaper with countdown timer

CyberVolk, a ransomware-as-a-service (RaaS) group, emerged in late June 2024, leveraging modified AzzaSec ransomware, as their Windows-specific payloads, written in C++, employ encryption algorithms like AES and SHA512. 

A countdown timer is displayed, files are encrypted, and the extension.CyberVolk is appended to the filename. 

It has recently targeted entities in Japan, including government agencies and research institutions, as part of their “#OpJP” campaign, as their operations involve ransomware distribution, victim extortion, and active promotion on social media platforms.

CyberVolk-encrypted files

Invisible/Doubleface ransomware, a variant of AzzaSec ransomware, emerged from a collaboration between CyberVolk and Doubleface Team, which employs AES-256 encryption for files and RSA-2048 for key wrapping. 

The ransomware imposes a 5-hour timeout for victim action, enforced by a timer mechanism.

Its source code, publicly leaked, reveals details about its encryption methods, timeout implementation, and ransom note generation.

HexaLocker, a ransomware group associated with LAPSUS$, emerged in July 2024 with the goal of “Lock. Demand. Dominate.”

The group’s Golang-based ransomware targeted Windows systems and was actively developed and promoted within the CyberVolk community. 

HexaLocker Telegram message

In October 2024, HexaLocker’s lead developer, ZZART3XX, announced the group’s shutdown and offered to sell the ransomware source code and infrastructure, signaling a potential shift in the threat landscape. 

CyberVolk, an active threat actor, has recently introduced Parano Ransomware, a new ransomware variant featuring strong anti-analysis measures and AES-128/RSA-4096 encryption.

The group has also released Parano Stealer, a Python-based infostealer that targets browser data, Discord credentials, cryptocurrency wallets, and system information. 

CyberVolk Stealer Python Script

It has developed a PHP-based webshell for remote access and control of compromised systems, which combined with their ongoing activities demonstrate the group’s evolving capabilities and persistent threat to organizations worldwide.

CyberVolk and other hacktivist groups were recently banned from Telegram, which follows threats from an actor who claims to have the ability to manipulate Telegram’s Terms of Service to ban channels. 

According to Sentinel Labs, it is possibly associated with a former member of AzzaSec or Doubleface, who appears to be using these threats to extort other groups.

As a result, many hacktivist groups are migrating to more secure platforms, highlighting the increasing weaponization of Telegram’s platform policies.

Analyze cyber threats with ANYRUN's powerful sandbox. Black Friday Deals : Get up to 3 Free Licenses.

Varshini
Varshini
Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Latest articles

DaMAgeCard Attack – New SD Card Attack Lets Hackers Directly Access System Memory

Security researchers have identified a significant vulnerability dubbed "DaMAgeCard Attack" in the new SD...

Deloitte Denies Breach, Claims Only Single System Affected

Ransomware group Brain Cipher claimed to have breached Deloitte UK and threatened to publish...

Top Five Industries Most Frequently Targeted by Phishing Attacks

Researchers analyzed phishing attacks from Q3 2023 to Q3 2024 and identified the top...

Russian BlueAlpha APT Exploits Cloudflare Tunnels to Distribute Custom Malware

BlueAlpha, a Russian state-sponsored group, is actively targeting Ukrainian individuals and organizations by using...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Sophisticated Celestial Stealer Targets Browsers to Steal Login Credentials

Researchers discovered Celestial Stealer, a JavaScript-based MaaS infostealer targeting Windows systems that, evading detection...

Fuji Electric Indonesia Hit by Ransomware Attack

Fuji Electric Indonesia has fallen victim to a ransomware attack, impacting its operations and...

Deloitte Hacked – Brain Cipher Group Claim to Have Stolen 1 TB of Data

Brain Cipher has claimed to have breached Deloitte UK and exfiltrated over 1 terabyte...