The professional-Russian hacktivist group generally known as CyberVolk (aka GLORIAMIST) has resurfaced with a brand new ransomware-as-a-service (RaaS) providing referred to as VolkLocker that suffers from implementation lapses in take a look at artifacts, permitting customers to decrypt information with out paying an extortion charge.
In accordance with SentinelOne, VolkLocker (aka CyberVolk 2.x) emerged in August 2025 and is able to focusing on each Home windows and Linux programs. It is written in Golang.
“Operators constructing new VolkLocker payloads should present a bitcoin handle, Telegram bot token ID, Telegram chat ID, encryption deadline, desired file extension, and self-destruct choices,” safety researcher Jim Walter stated in a report revealed final week.
As soon as launched, the ransomware makes an attempt to escalate privileges, performs reconnaissance and system enumeration, together with checking native MAC handle prefixes towards recognized virtualization distributors like Oracle and VMware. Within the subsequent stage, it lists all out there drives and determines the information to be encrypted primarily based on the embedded configuration.
VolkLocker makes use of AES-256 in Galois/Counter Mode (GCM) for encryption by way of Golang’s “crypto/rand” package deal. Each encrypted file is assigned a customized extension corresponding to .locked or .cvolk.
Nevertheless, an evaluation of the take a look at samples has uncovered a deadly flaw the place the locker’s grasp keys usually are not solely hard-coded within the binaries, however are additionally used to encrypt all information on a sufferer system. Extra importantly, the grasp key can be written to a plaintext file within the %TEMP% folder (“C:UsersAppDataLocalTempsystem_backup.key”).
Since this backup key file is rarely deleted, the design blunder permits self-recovery. That stated, VolkLocker has all of the hallmarks usually related to a ransomware pressure. It makes Home windows Registry modifications to thwart restoration and evaluation, deletes quantity shadow copies, and terminates processes related to Microsoft Defender Antivirus and different frequent evaluation instruments.
Nevertheless, the place it stands out is in the usage of an enforcement timer, which wipes the content material of person folders, viz. Paperwork, Desktop, Downloads, and Photos, if victims fail to pay inside 48 hours or enter the mistaken decryption key 3 times.
CyberVolk’s RaaS operations are managed by way of Telegram, costing potential clients between $800 and $1,100 for both a Home windows or Linux model, or between $1,600 and $2,200 for each working programs. VolkLocker payloads include built-in Telegram automation for command-and-control, permitting customers to message victims, provoke file decryption, listing lively victims, and get system data.
As of November 2025, the menace actors have marketed a distant entry trojan and keylogger, each priced at $500 every, indicating a broadening of their monetization technique.
CyberVolk launched its personal RaaS in June 2024. Recognized for conducting distributed denial-of-service (DDoS) and ransomware assaults on public and authorities entities to assist Russian authorities pursuits, it is believed to be of Indian origin.
“Regardless of repeated Telegram account bans and channel removals all through 2025, CyberVolk has reestablished its operations and expanded its service choices,” Walter stated. “Defenders ought to see CyberVolk’s adoption of Telegram-based automation as a mirrored image of broader traits amongst politically-motivated menace actors. These teams proceed to decrease boundaries for ransomware deployment whereas working on platforms that present handy infrastructure for prison companies.”
