CyberVolk Reemerges: VolkLocker’s New Features and Flaws
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
The article covers the resurgence of the pro-Russia hacktivist collective CyberVolk and its new ransomware family dubbed VolkLocker. This Golang-based ransomware targets both Windows and Linux systems and relies on Telegram for command and control. It uses a hard-coded AES-256-GCM master key, which is also written in plaintext to the %TEMP% directory, effectively creating an unintended decryption shortcut. VolkLocker further tampers with registry settings, turns off security controls, and attempts destructive actions against the system once a built-in timer expires.
Investigation
Researchers examined the VolkLocker sample and observed that it is distributed without code obfuscation, instead recommending the use of UPX for packing. The ransomware carries out environment checks, enumerates available drives, encrypts data using a static master key, and stores that key in a hidden backup file. Persistence is maintained by replicating the executable into multiple paths and applying registry changes. Telegram bot tokens and a Bitcoin address are mandatory configuration elements for successful operation.
Mitigation
Defenders should watch for the documented registry changes, the creation of the plaintext key backup file, and multiple copies of the same executable appearing in startup locations. Blocking outbound traffic to Telegram-related domains and flagging UPX-packed binaries can help limit risk. Maintaining regular offline or immutable backups and preventing automatic deletion of volume shadow copies are also advised.
Response
After detection, immediately isolate the compromised endpoint, retrieve the plaintext key backup file from %TEMP%, and leverage the known master key for file decryption. Eradicate all instances of the VolkLocker executable, restore altered registry values, and restart any disabled security solutions. Perform a forensic review of Telegram-based C2 traffic and continue monitoring for subsequent misuse of the exposed bot token.
Attack Flow
Detections
Detection of CyberVolk Ransomware Artifacts [Windows File Event]
View
Privilege Escalation and Process Termination by CyberVolk Ransomware [Windows Process Creation]
View
IOCs (HashSha1) to detect: CyberVolk Returns | Flawed VolkLocker Brings New Features With Growing Pains
View
Possible Registry Modification to System Toolls Lockdown (via cmdline)
View
Disabling Windows Defender Protections (via registry_event)
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.
-
Attack Narrative & Commands:
- Objective: Obtain SYSTEM privileges on a standard user workstation while evading security tooling.
- Step 1 – UAC Bypass: The attacker launches ms-settings.exe with a command line that forces the process to call
NtRaiseHardError, a known undocumented API that can trigger a UAC elevation prompt that can be auto‑accepted in certain mis‑configurations. - Step 2 – Disrupt Defenses: Immediately after the elevation, the same command line invokes taskkill.exe to terminate known analysis tools (
procmon.exe,processhacker.exe, etc.) that might be monitoring privileged processes. - Resulting Telemetry: A single process‑creation event where Image = ms-settings.exe and CommandLine contains both
taskkill.exeandNtRaiseHardError, satisfying the Sigma rule’sselection.
# Combined malicious command – crafted to appear as ms-settings.exe arguments $maliciousCmd = '"C:\Windows\System32\ms-settings.exe" "taskkill.exe /F /IM procmon.exe" "NtRaiseHardError"' Start-Process -FilePath "$env:SystemRoot\system32\ms-settings.exe" -ArgumentList $maliciousCmd -
Regression Test Script: The following PowerShell script reproduces the exact attack and can be reused for automated regression testing.
<# .SYNOPSIS Simulates the CyberVolk ms‑settings UAC bypass + analysis‑tool termination technique. .DESCRIPTION Launches ms-settings.exe with a crafted argument list that includes taskkill.exe and NtRaiseHardError. Generates the specific process‑creation telemetry required to fire the Sigma detection rule. .NOTES Run with a normal user account. Ensure that the target environment has process‑creation logging enabled. #> # Parameters (adjust if needed) $msSettings = "$env:SystemRoot\system32\ms-settings.exe" $analysisTools = @("procmon.exe","processhacker.exe","ida64.exe") $killCmd = "taskkill.exe /F /IM " + ($analysisTools -join " /IM ") $hardError = "NtRaiseHardError" # Build the malicious argument string $argList = @($killCmd, $hardError) -join " " Write-Host "Launching ms-settings.exe with malicious arguments..." Start-Process -FilePath $msSettings -ArgumentList $argList Write-Host "Command executed:" Write-Host "`"$msSettings`" $argList" -
Cleanup Commands: After verification, terminate any lingering ms-settings.exe processes and restore normal system state.
# Stop any ms-settings processes that may still be running Get-Process -Name "ms-settings" -ErrorAction SilentlyContinue | Stop-Process -Force # Optional: Verify no analysis tools were unintentionally killed foreach ($tool in @("procmon","processhacker","ida64")) { if (Get-Process -Name $tool -ErrorAction SilentlyContinue) { Write-Host "$tool is still running." } else { Write-Host "$tool was terminated (expected for the test)." } }