Researchers have observed a hacktivist group with roots possibly in India deploying ransomware against state and public entities in countries that oppose Russian interests.

Known as CyberVolk, the group has been active since at least March 2024, exploiting current geopolitical issues to justify its attacks. Most recently, the group claimed responsibility for compromising the networks of critical infrastructure facilities and scientific institutions in Japan, France, and the U.K.

CyberVolk initially operated under the name Gloriamist India before rebranding to its current identity. Previous reports identified a threat actor known by the alias Hacker-K as being of Indian origin and the leader of CyberVolk. It remains unclear where the group is currently based or who its other members are.

CyberVolk has previously claimed alliances with other pro-Russia hacktivist groups, including NoName057(16), according to a report by cybersecurity firm SentinelOne on Tuesday. The group is just one of many politically motivated threat actors that have come into the spotlight after Russia’s invasion of Ukraine in 2024. 

What makes CyberVolk stand out is that in addition to carrying out distributed denial-of-service (DDoS) attacks — the most popular method among hacktivists — it also deploys ransomware and info-stealing malware, note the SentinelOne researchers.

CyberVolk’s stealer attempts to gather various types of victim information — including browser, Discord, gaming, and cryptocurrency wallet data — from targeted systems. The stolen data is then exfiltrated via the Discord messaging app.

The group’s branded ransomware is derived from malware originally developed by another pro-Russia, anti-Israel and anti-Ukraine hacktivist group, AzzaSec, whose ransomware source code was leaked in June and subsequently adopted by other threat actors.

In a ransom note displayed on victims' computer screens, CyberVolk describes itself as a group of elite hackers and cybersecurity experts from Russia who “strike fear in the hearts of their targets.”

CyberVolk ransomware supports cryptocurrency payments, with the ransom amount set at $1,000. Victims are instructed to pay within five hours of learning about the hack.

In addition to AzzaSec, CyberVolk has also promoted other ransomware families, such as HexaLocker and Parano. The reuse of these tools, and more established ones like LockBit and Chaos demonstrates “how dynamic the affiliations and alliances between hacktivist groups can be,” the SentinelOne researchers said.

Though primarily composed of lower-skilled threat actors, CyberVolk has learned to quickly adapt existing tools to suit their needs, making the group harder to fight and track, researchers said.

“The number of ransomware families associated with CyberVolk highlights the ability of this group to rapidly pivot, building upon existing tools to suit their needs and further their causes,” they added.