{
  "name": "CyberVolk Ransomware: Analysis of Double Encryption Structure and Disguised Decryption Logic",
  "slug": "cybervolk-ransomware-analysis-of-double-encryption-structure-and-disguised-decryption-logic",
  "description": "The CyberVolk ransomware, emerging in May 2024, targets public institutions and key infrastructures of anti-Russian countries. It uses a double encryption structure with AES-256 GCM and ChaCha20-Poly1305 algorithms. The ransomware excludes certain files and directories from encryption and uses a symmetric key generated before the main function starts. A unique nonce is generated for each file encryption, but it's not stored, making decryption impossible. The ransomware includes a disguised decryption logic that fails due to an incorrect nonce value. This pro-Russian group communicates via Telegram and has claimed attacks on major facilities in Japan, France, and the UK.",
  "published": "2025-09-12T05:44:08+00:00",
  "created_at": "2025-09-12T05:44:08+00:00",
  "modified_at": "2025-09-12T06:20:06+00:00",
  "created_at_opencti": "2025-09-12T05:44:08+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-09-12",
    "aes-256-gcm",
    "chacha20-poly1305",
    "cybervolk",
    "double encryption",
    "geopolitical",
    "pro-russian",
    "ransomware",
    "symmetric key"
  ],
  "related_entities": {
    "malware": [
      {
        "id": "legacy:malware:964d97f4e13d7891",
        "name": "CyberVolk",
        "slug": "cybervolk"
      }
    ],
    "intrusion_sets": [
      {
        "id": "0650973e-089e-45e2-bad9-97b0ee1892bd",
        "name": "CyberVolk",
        "slug": "cybervolk"
      }
    ],
    "attack_patterns": [
      {
        "id": "ecaaa4cc-d487-4002-bcb2-f769acfcc38f",
        "name": "T1490"
      },
      {
        "id": "93b2c4dd-5523-4464-8976-78754ee372fd",
        "name": "T1012"
      },
      {
        "id": "f1bb7823-4f4b-4565-b472-bf0cfca467b1",
        "name": "T1486"
      },
      {
        "id": "926a888c-190c-4efb-ab6b-f9d7e6a0fc54",
        "name": "T1547"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      },
      {
        "id": "45082a8e-9c79-470e-ad1b-decac7188e8f",
        "name": "T1083"
      },
      {
        "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221",
        "name": "T1059"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Japan"
      },
      {
        "id": "",
        "name": "France"
      },
      {
        "id": "",
        "name": "Russian Federation"
      },
      {
        "id": "",
        "name": "Government"
      }
    ]
  },
  "external_refs": [
    "https://asec.ahnlab.com/en/90077/",
    "https://otx.alienvault.com/pulse/68c3cf4879c4e8a5a1e2f37c"
  ]
}