cyber security

Researchers Detailed Tools Used By Hacktivists Fueling Ransomware Attacks

CyberVolk, a politically motivated hacktivist group, has leveraged readily available ransomware builders like AzzaSec, Diamond, LockBit, and Chaos to launch DDoS and ransomware attacks against targets opposing Russian interests. 

The highly skilled members of the group modify and improve these tools, which results in an increase in their level of sophistication and makes it more difficult to track them down. 

June 2024 Release of AzzaSec Ransomware

A pro-Russia hacktivist group emerged in May 2024, leveraging the AzzaSec ransomware code, leaked in June 2024, which was originally developed by a pro-Russia, anti-Israel, and anti-Ukraine group and was adopted and modified by various aligned groups, including CyberVolk.

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar

The operations of CyberVolk consist of a variety of distributed denial of service attacks, defacements, and ransomware, and they frequently target entities in countries that are in alliance with Russia. 

CyberVolk wallpaper with countdown timer

CyberVolk, a ransomware-as-a-service (RaaS) group, emerged in late June 2024, leveraging modified AzzaSec ransomware, as their Windows-specific payloads, written in C++, employ encryption algorithms like AES and SHA512. 

A countdown timer is displayed, files are encrypted, and the extension.CyberVolk is appended to the filename. 

It has recently targeted entities in Japan, including government agencies and research institutions, as part of their “#OpJP” campaign, as their operations involve ransomware distribution, victim extortion, and active promotion on social media platforms.

CyberVolk-encrypted files

Invisible/Doubleface ransomware, a variant of AzzaSec ransomware, emerged from a collaboration between CyberVolk and Doubleface Team, which employs AES-256 encryption for files and RSA-2048 for key wrapping. 

The ransomware imposes a 5-hour timeout for victim action, enforced by a timer mechanism.

Its source code, publicly leaked, reveals details about its encryption methods, timeout implementation, and ransom note generation.

HexaLocker, a ransomware group associated with LAPSUS$, emerged in July 2024 with the goal of “Lock. Demand. Dominate.”

The group’s Golang-based ransomware targeted Windows systems and was actively developed and promoted within the CyberVolk community. 

HexaLocker Telegram message

In October 2024, HexaLocker’s lead developer, ZZART3XX, announced the group’s shutdown and offered to sell the ransomware source code and infrastructure, signaling a potential shift in the threat landscape. 

CyberVolk, an active threat actor, has recently introduced Parano Ransomware, a new ransomware variant featuring strong anti-analysis measures and AES-128/RSA-4096 encryption.

The group has also released Parano Stealer, a Python-based infostealer that targets browser data, Discord credentials, cryptocurrency wallets, and system information. 

CyberVolk Stealer Python Script

It has developed a PHP-based webshell for remote access and control of compromised systems, which combined with their ongoing activities demonstrate the group’s evolving capabilities and persistent threat to organizations worldwide.

CyberVolk and other hacktivist groups were recently banned from Telegram, which follows threats from an actor who claims to have the ability to manipulate Telegram’s Terms of Service to ban channels. 

According to Sentinel Labs, it is possibly associated with a former member of AzzaSec or Doubleface, who appears to be using these threats to extort other groups.

As a result, many hacktivist groups are migrating to more secure platforms, highlighting the increasing weaponization of Telegram’s platform policies.

Analyze cyber threats with ANYRUN's powerful sandbox. Black Friday Deals : Get up to 3 Free Licenses.

Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Recent Posts

Ivanti Fully Patched Connect Secure RCE Vulnerability That Actively Exploited in the Wild

Ivanti has issued an urgent security advisory for CVE-2025-22457, a critical vulnerability impacting Ivanti Connect…

1 day ago

Beware! Weaponized Job Recruitment Emails Spreading BeaverTail and Tropidoor Malware

A concerning malware campaign was disclosed by the AhnLab Security Intelligence Center (ASEC), revealing how…

1 day ago

EncryptHub Ransomware Uncovered Through ChatGPT Use and OPSEC Failures

EncryptHub, a rapidly evolving cybercriminal entity, has come under intense scrutiny following revelations of operational…

1 day ago

PoisonSeed Targets CRM and Bulk Email Providers in New Supply Chain Phishing Attack

A sophisticated phishing campaign, dubbed "PoisonSeed," has been identified targeting customer relationship management (CRM) and…

1 day ago

Beware! Fake Unpaid Tolls Messages Used in Phishing Attack to Steal Login Credentials

A surge in phishing text messages claiming unpaid tolls has been linked to a massive…

1 day ago

State Bar of Texas Confirms Data Breach, Begins Notifying Affected Consumers

The State Bar of Texas has confirmed a data breach following the detection of unauthorized…

1 day ago