CyberVolk, a pro-Russian hacktivist crew, is back after months of silence with a new ransomware service. There’s some bad news and some good news here.
First, the bad news: the CyberVolk 2.x (aka VolkLocker) ransomware-as-a-service operation that launched in late summer. It’s run entirely through Telegram, which makes it very easy for affiliates that aren’t that tech savvy to lock files and demand a ransom payment.
CyberVolk’s soldiers can use the platform’s built-in automation to generate payloads, coordinate ransomware attacks, and manage their illicit business operations, conducting everything through Telegram.
But here’s the good news: the ransomware slingers got sloppy when it came time to debug their code and hardcoded the master keys – this same key encrypts all files on a victim’s system – into the executable files. This could allow victims to recover encrypted data without paying the extortion fee, according to SentinelOne senior threat researcher Jim Walter, who detailed the gang’s resurgence and flawed code in a Thursday report.
[…]
“Our analysis reveals an operation struggling with the challenges of expansion: taking one step forward with sophisticated Telegram automation, and one step backward with payloads that retain test artifacts enabling victim self-recovery,” Walter wrote.
[…]
In November, the ransomware operators began advertising standalone RAT and keylogger tools and advertised these pricing models:
- RaaS (single OS): $800-$1,100 USD
- RaaS (Linux + Windows): $1,600-$2,200 USD
- Standalone RAT or Keylogger: $500 USD each
Once the ransomware has been deployed on victims’ systems, it escalates privileges, bypassing Windows User Account Control (UAC) to execute malware with admin-level privileges. It determines which files to encrypt based on exclusion lists for specific paths and extensions that have been configured in the malware’s code, and the ransomware uses AES-256 in GCM mode (Galois/Counter Mode) for file encryption.
But, here’s where the malware developers screwed up: VolkLocker doesn’t dynamically generate encryption keys, but rather hardcodes them as hex strings, and writes a plaintext file with the complete master encryption key in the %TEMP% folder.
The plaintext master key “likely represents a test artifact inadvertently shipped in production builds,” Walter wrote. “CyberVolk operators may be unaware that affiliates are deploying builds with the backupMasterKey() function still embedded.”
This “suggests that the operation is struggling to maintain quality control while aggressively recruiting lesser-skilled affiliates,” he added.
[…]
Source: Russian hackers debut simple ransomware service • The Register
Robin Edgar
Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft