CyberVolk Ransomware: Analysis of Double Encryption Structure and Disguised Decryption Logic

Description

The CyberVolk ransomware, emerging in May 2024, targets public institutions and key infrastructures of anti-Russian countries. It uses a double encryption structure with AES-256 GCM and ChaCha20-Poly1305 algorithms. The ransomware excludes certain files and directories from encryption and uses a symmetric key generated before the main function starts. A unique nonce is generated for each file encryption, but it's not stored, making decryption impossible. The ransomware includes a disguised decryption logic that fails due to an incorrect nonce value. This pro-Russian group communicates via Telegram and has claimed attacks on major facilities in Japan, France, and the UK.