Researchers Detailed Tools Used By Hacktivists Fueling Ransomware Attacks

CyberVolk, a politically motivated hacktivist group, has leveraged readily available ransomware builders like AzzaSec, Diamond, LockBit, and Chaos to launch DDoS and ransomware attacks against targets opposing Russian interests. 

The highly skilled members of the group modify and improve these tools, which results in an increase in their level of sophistication and makes it more difficult to track them down. 

A pro-Russia hacktivist group emerged in May 2024, leveraging the AzzaSec ransomware code, leaked in June 2024, which was originally developed by a pro-Russia, anti-Israel, and anti-Ukraine group and was adopted and modified by various aligned groups, including CyberVolk.

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar

The operations of CyberVolk consist of a variety of distributed denial of service attacks, defacements, and ransomware, and they frequently target entities in countries that are in alliance with Russia. 

CyberVolk, a ransomware-as-a-service (RaaS) group, emerged in late June 2024, leveraging modified AzzaSec ransomware, as their Windows-specific payloads, written in C++, employ encryption algorithms like AES and SHA512. 

A countdown timer is displayed, files are encrypted, and the extension.CyberVolk is appended to the filename. 

It has recently targeted entities in Japan, including government agencies and research institutions, as part of their “#OpJP” campaign, as their operations involve ransomware distribution, victim extortion, and active promotion on social media platforms.

Invisible/Doubleface ransomware, a variant of AzzaSec ransomware, emerged from a collaboration between CyberVolk and Doubleface Team, which employs AES-256 encryption for files and RSA-2048 for key wrapping. 

The ransomware imposes a 5-hour timeout for victim action, enforced by a timer mechanism.

Its source code, publicly leaked, reveals details about its encryption methods, timeout implementation, and ransom note generation.

HexaLocker, a ransomware group associated with LAPSUS$, emerged in July 2024 with the goal of “Lock. Demand. Dominate.”

The group’s Golang-based ransomware targeted Windows systems and was actively developed and promoted within the CyberVolk community. 

In October 2024, HexaLocker’s lead developer, ZZART3XX, announced the group’s shutdown and offered to sell the ransomware source code and infrastructure, signaling a potential shift in the threat landscape. 

CyberVolk, an active threat actor, has recently introduced Parano Ransomware, a new ransomware variant featuring strong anti-analysis measures and AES-128/RSA-4096 encryption.

The group has also released Parano Stealer, a Python-based infostealer that targets browser data, Discord credentials, cryptocurrency wallets, and system information. 

It has developed a PHP-based webshell for remote access and control of compromised systems, which combined with their ongoing activities demonstrate the group’s evolving capabilities and persistent threat to organizations worldwide.

CyberVolk and other hacktivist groups were recently banned from Telegram, which follows threats from an actor who claims to have the ability to manipulate Telegram’s Terms of Service to ban channels. 

According to Sentinel Labs, it is possibly associated with a former member of AzzaSec or Doubleface, who appears to be using these threats to extort other groups.

As a result, many hacktivist groups are migrating to more secure platforms, highlighting the increasing weaponization of Telegram’s platform policies.

Analyze cyber threats with ANYRUN's powerful sandbox. Black Friday Deals : Get up to 3 Free Licenses.