“CyberVolk” hacktivists use ransomware to support Russian interests

Researchers have observed that a hacktivist group with roots possibly in India is using ransomware against government and public entities in countries opposed to Russian interests.

The group, known as CyberVolk, has been active since at least March 2024 and uses current geopolitical issues to justify its attacks. Most recently, the group claimed responsibility for compromising the networks of critical infrastructure and scientific institutions in Japan, France and Great Britain

CyberVolk initially operated under the name Gloriamist India before rebranding to its current identity. In previous reports, a threat actor known by the pseudonym Hacker-K was identified as being of Indian origin and the leader of CyberVolk. It remains unclear where the group is currently based and who its other members are.

According to a report from cybersecurity firm SentinelOne on Tuesday, CyberVolk has previously claimed alliances with other pro-Russian hacktivist groups, including NoName057(16). The group is just one of many politically motivated threat actors that have come into the spotlight following Russia’s invasion of Ukraine in 2024.

What sets CyberVolk apart is that in addition to distributed denial-of-service attacks (DDoS) – the most popular method among hacktivists – it also uses ransomware and malware to steal information, according to SentinelOne researchers.

CyberVolk’s stealer attempts to collect various types of victim information – including browser, Discord, gaming and cryptocurrency wallet data – from targeted systems. The stolen data is then exfiltrated via the Discord messaging app.

The group’s branded ransomware descends from malware originally developed by another pro-Russian, anti-Israel and anti-Ukrainian hacktivist group, AzzaSec, whose ransomware source code was leaked in June and subsequently adopted by other threat actors.

In a ransom note displayed on victims’ computer screens, CyberVolk describes itself as a group of elite hackers and cybersecurity experts from Russia who “instill fear in their targets.”

The CyberVolk ransomware supports cryptocurrency payments, with the ransom amount set at $1,000. Victims are instructed to pay within five hours of learning about the hack.

In addition to AzzaSec, CyberVolk has also promoted other ransomware families such as HexaLocker and Parano. The reuse of these tools and more established tools like LockBit and Chaos shows “how dynamic the affiliations and alliances between hacktivist groups can be,” the SentinelOne researchers said.

Although composed primarily of less-skilled threat actors, CyberVolk has learned to quickly adapt existing tools to their needs, making the group more difficult to combat and track, researchers say.

“The number of ransomware families associated with CyberVolk underscores this group’s ability to pivot quickly and build on existing tools to meet their needs and advance their causes,” they added.

Learn more.