CyberVolk is a self-proclaimed hacktivist group with various allegiances to other hacktivist groups throughout the globe, including Anonymous (their subsidiaries), White_Hunters, Cyber Hunters, and others. They even state they work with a DDoS service called SRV to carry out many of their extortion attacks. The group's members (many of which are listed below) carry out data breaches, website defacing, DDoS attacks, and, of course, ransomware. Before they employed ransomware in their arsenal, they were known by various names such as GLORIAMIST and Solntsevskaya Bratva, which dates back to late 2023. However, after a vote, they began to go by CyberVolk (Volk is wolf in Russian). Because they use Russian naming convention, and many of their ransom notes claim they are Russian, research from SentinelOne claims they originate in India and have Pro-Russian allegiances. This is supported by the GLORIAMIST India Alias name they used in the past. However, a researcher in one of the references below claims that the group is French based on the Cyb3r Bytes name, but there's no further evidence to corroborate that.
Much of the information in this entry comes from SentinelOne's research, Detect FYI's publication, Gohan Adiputra's research on Scribd, ThreatMon's report, and Machina Record's report. WatchGuard performed additional analysis to gather further technical information and communication mediums. SentinelOne's research highlighted the ransomware encryptor's lineage to be from AzzaSec group's ransomware that comes from Babuk's leaked encryptor. AzzaSec, and their derivatives (CyberVolk, DeepX, Dxx and Alien, HexaLocker, Invisible, etc.) use a hybrid encryption scheme that uses AES+SHA-512 to encrypt files and RSA-4096 to encrypt the AES symmetric key. Additionally, when executing the ransomware, it changes the desktop wallpaper, invokes an un-closable modal, and appends a file extension of .cvenc, .petik, or .CyberVolk to encrypted files. The modal allows victims to enter a decryption key to encrypt files, but if they enter any combination of 36 alphanumeric characters, the process stops. Some samples performed no encryption. Thus, the group's encryption mechanism has a flaw of some sort.
Throughout 2024, the group targeted mostly organizations from Japan, and a few others from the U.S., Armenia, Venezuela, Albania, and Italy. Their extortion amounts ranged from a few thousand to several million, and their amounts didn't seem to be consistent based on the victims involved. It's difficult to tell if some of these victims had ransomware deployed in their environments or if the group simply exfiltrated data, which is becoming increasingly more common in 2024/2025; hence, the data broker denotation in conjunction with crypto-ransomware and RaaS declarations.
Extortion Amounts(10)
Communication(11)
Samples (SHA-256)(10)
Known Victims(17)
| Industry Sector | Paese | Extortion Date | Amount (USD) |
|---|---|---|---|
| Environmental Services | United States | $5,000,000 | |
| Environmental Services | United States | $2,000,000 | |
| Environmental Services | Japan | $70,000 | |
| Automotive | Japan | ||
| Government | Armenia | $2,500,000 | |
| Energy | Japan | ||
| Scientific Services | Japan | ||
| Scientific Services | Japan | $10,000 | |
| Telecommunications | Japan | $20,000 | |
| Scientific Services | Japan | $10,000 | |
| Environmental Services | Japan | $20,000 | |
| Environmental Services | Japan | $10,000 | |
| Education | Japan | $2,000 | |
| Oil & Gas | Venezuela | ||
| Government | Italy | ||
| Government | Venezuela | ||
| Government | Albania |