cyber security

Researchers Detailed Tools Used By Hacktivists Fueling Ransomware Attacks

CyberVolk, a politically motivated hacktivist group, has leveraged readily available ransomware builders like AzzaSec, Diamond, LockBit, and Chaos to launch DDoS and ransomware attacks against targets opposing Russian interests. 

The highly skilled members of the group modify and improve these tools, which results in an increase in their level of sophistication and makes it more difficult to track them down. 

June 2024 Release of AzzaSec Ransomware

A pro-Russia hacktivist group emerged in May 2024, leveraging the AzzaSec ransomware code, leaked in June 2024, which was originally developed by a pro-Russia, anti-Israel, and anti-Ukraine group and was adopted and modified by various aligned groups, including CyberVolk.

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar

The operations of CyberVolk consist of a variety of distributed denial of service attacks, defacements, and ransomware, and they frequently target entities in countries that are in alliance with Russia. 

CyberVolk wallpaper with countdown timer

CyberVolk, a ransomware-as-a-service (RaaS) group, emerged in late June 2024, leveraging modified AzzaSec ransomware, as their Windows-specific payloads, written in C++, employ encryption algorithms like AES and SHA512. 

A countdown timer is displayed, files are encrypted, and the extension.CyberVolk is appended to the filename. 

It has recently targeted entities in Japan, including government agencies and research institutions, as part of their “#OpJP” campaign, as their operations involve ransomware distribution, victim extortion, and active promotion on social media platforms.

CyberVolk-encrypted files

Invisible/Doubleface ransomware, a variant of AzzaSec ransomware, emerged from a collaboration between CyberVolk and Doubleface Team, which employs AES-256 encryption for files and RSA-2048 for key wrapping. 

The ransomware imposes a 5-hour timeout for victim action, enforced by a timer mechanism.

Its source code, publicly leaked, reveals details about its encryption methods, timeout implementation, and ransom note generation.

HexaLocker, a ransomware group associated with LAPSUS$, emerged in July 2024 with the goal of “Lock. Demand. Dominate.”

The group’s Golang-based ransomware targeted Windows systems and was actively developed and promoted within the CyberVolk community. 

HexaLocker Telegram message

In October 2024, HexaLocker’s lead developer, ZZART3XX, announced the group’s shutdown and offered to sell the ransomware source code and infrastructure, signaling a potential shift in the threat landscape. 

CyberVolk, an active threat actor, has recently introduced Parano Ransomware, a new ransomware variant featuring strong anti-analysis measures and AES-128/RSA-4096 encryption.

The group has also released Parano Stealer, a Python-based infostealer that targets browser data, Discord credentials, cryptocurrency wallets, and system information. 

CyberVolk Stealer Python Script

It has developed a PHP-based webshell for remote access and control of compromised systems, which combined with their ongoing activities demonstrate the group’s evolving capabilities and persistent threat to organizations worldwide.

CyberVolk and other hacktivist groups were recently banned from Telegram, which follows threats from an actor who claims to have the ability to manipulate Telegram’s Terms of Service to ban channels. 

According to Sentinel Labs, it is possibly associated with a former member of AzzaSec or Doubleface, who appears to be using these threats to extort other groups.

As a result, many hacktivist groups are migrating to more secure platforms, highlighting the increasing weaponization of Telegram’s platform policies.

Analyze cyber threats with ANYRUN's powerful sandbox. Black Friday Deals : Get up to 3 Free Licenses.

Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Recent Posts

Attackers Exploit Microsoft Entra Billing Roles to Escalate Privileges in Organizational Environments

A startling discovery by BeyondTrust researchers has unveiled a critical vulnerability in Microsoft Entra ID…

1 day ago

Threat Actors Exploit Google Apps Script to Host Phishing Sites

The Cofense Phishing Defense Center has uncovered a highly strategic phishing campaign that leverages Google…

1 day ago

Dadsec Hacker Group Uses Tycoon2FA Infrastructure to Steal Office365 Credentials

Cybersecurity researchers from Trustwave’s Threat Intelligence Team have uncovered a large-scale phishing campaign orchestrated by…

1 day ago

Beware: Weaponized AI Tool Installers Infect Devices with Ransomware

Cisco Talos has uncovered a series of malicious threats masquerading as legitimate AI tool installers,…

1 day ago

Pure Crypter Uses Multiple Evasion Methods to Bypass Windows 11 24H2 Security Features

Pure Crypter, a well-known malware-as-a-service (MaaS) loader, has been recognized as a crucial tool for…

1 day ago

Attackers Exploit Microsoft Entra Billing Roles to Escalate Privileges

A recent discovery by security researchers at BeyondTrust has revealed a critical, yet by-design, security…

1 day ago