CyberVolk Ransomware Targets Windows Systems in Critical Infrastructure and Research Institutions

CyberVolk ransomware, which first emerged in May 2024, has escalated its operations against government agencies, critical infrastructure, and scientific institutions across Japan, France, and the United Kingdom.

Operating with pro-Russian leanings, CyberVolk specifically targets states perceived as hostile to Russian interests, leveraging sophisticated encryption techniques that render decryption impossible.

This article delivers a technical analysis of CyberVolk’s encryption architecture, execution flow, and the inherent flaws that prevent recovery without backups.

CyberVolk surfaced in May 2024, quickly distinguishing itself by focusing on public sector targets in nations with anti-Russian policies.

The group communicates via Telegram channels, issuing threats and ransom demands directly to victims.

Notable attacks include Japanese power grids, French research laboratories, and British scientific consortia.

CyberVolk’s motivations appear geopolitically driven, aligning with pro-Russian narratives by crippling the technological capabilities of adversarial states.

Upon launch under standard user privileges, the ransomware re-executes with administrator rights to gain full system access.

It then builds an exclusion list to avoid destabilizing critical system directories. Paths containing substrings—such as “Windows,” “Program Files,” and “ProgramData”—are omitted from encryption to maintain system stability and enable persistence after reboot.

Encryption Exclusions

CyberVolk excludes files already bearing its custom extension and system folders to prevent redundant operations and reinfection.
Windows.
Program Files.
ProgramData.
CyberVolk.

The ransomware employs a two-tiered symmetric encryption scheme using AES-256 GCM and ChaCha20-Poly1305.

A single symmetric key is generated at process initialization and applied uniformly across all target files. Each file encryption begins with a 12-byte nonce produced by crypto_rand_Read().

This nonce ensures unique ciphertexts even for identical plaintexts. File contents are first encrypted under AES-256 GCM, producing both ciphertext and an authentication tag, before being double-encrypted using ChaCha20-Poly1305.

File Structure Changes

Post-encryption files retain only encrypted data and the ChaCha20-Poly1305 authentication tag; no nonce or key derivation metadata is stored alongside the ciphertext. This omission makes offline decryption unachievable.

Upon completion of encryption, the ransomware generates a ransom note named READMENOW.txt in the execution directory.

A desktop background change and note prompt instruct victims to input a hard-coded decryption key within three attempts.

Although decryption logic is present, it incorrectly handles the nonce—failing to retrieve or apply the original value—resulting in decryption failures.

CyberVolk’s self-developed ransomware leverages robust, double-layer symmetric encryption with randomly generated nonces that are never preserved, making ciphertext irrecoverable by design.

Its pro-Russian orientation and selective targeting of anti-Russian states underscore the geopolitical dimension of its cyber assaults.

Organizations must implement stringent backup strategies—maintaining offline, access-controlled copies of critical data—and regularly conduct recovery drills to mitigate irreversible data loss.

A holistic approach that secures backup systems themselves is vital for preserving operational continuity.

4.1. V3
Ransomware/Win.BlackLock.C5764855 (2025.06.11.03).
Ransom/MDP.Behavior.M2649 (2022.09.06.00).
Ransom/MDP.Decoy.M1171 (2016.07.15.02).

4.2. EDR
Ransom/EDR.Decoy.M2716 (2025.08.07.00).

c04e70613fcf916e27bd653f38149f71.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.

Keep your files stored safely and securely with the SanDisk 2TB Extreme Portable SSD. With over 69,505 ratings and an impressive 4.6 out of 5 stars, this product has been purchased over 8K+ times in the past month. At only $129.99, this Amazon’s Choice product is a must-have for secure file storage.

Help keep private content private with the included password protection featuring 256-bit AES hardware encryption. Order now for just $129.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!