The professional-Russian hacktivist group often known as CyberVolk (aka GLORIAMIST) has resurfaced with a brand new ransomware-as-a-service (RaaS) providing known as VolkLocker that suffers from implementation lapses in check artifacts, permitting customers to decrypt recordsdata with out paying an extortion price.
Based on SentinelOne, VolkLocker (aka CyberVolk 2.x) emerged in August 2025 and is able to concentrating on each Home windows and Linux methods. It is written in Golang.
“Operators constructing new VolkLocker payloads should present a bitcoin deal with, Telegram bot token ID, Telegram chat ID, encryption deadline, desired file extension, and self-destruct choices,” safety researcher Jim Walter mentioned in a report revealed final week.
As soon as launched, the ransomware makes an attempt to escalate privileges, performs reconnaissance and system enumeration, together with checking native MAC deal with prefixes in opposition to recognized virtualization distributors like Oracle and VMware. Within the subsequent stage, it lists all obtainable drives and determines the recordsdata to be encrypted based mostly on the embedded configuration.
VolkLocker makes use of AES-256 in Galois/Counter Mode (GCM) for encryption by means of Golang’s “crypto/rand” bundle. Each encrypted file is assigned a customized extension equivalent to .locked or .cvolk.
Nonetheless, an evaluation of the check samples has uncovered a deadly flaw the place the locker’s grasp keys aren’t solely hard-coded within the binaries, however are additionally used to encrypt all recordsdata on a sufferer system. Extra importantly, the grasp key can also be written to a plaintext file within the %TEMP% folder (“C:UsersAppDataLocalTempsystem_backup.key”).
Since this backup key file isn’t deleted, the design blunder permits self-recovery. That mentioned, VolkLocker has all of the hallmarks usually related to a ransomware pressure. It makes Home windows Registry modifications to thwart restoration and evaluation, deletes quantity shadow copies, and terminates processes related to Microsoft Defender Antivirus and different frequent evaluation instruments.
Nonetheless, the place it stands out is in using an enforcement timer, which wipes the content material of consumer folders, viz. Paperwork, Desktop, Downloads, and Footage, if victims fail to pay inside 48 hours or enter the unsuitable decryption key 3 times.
CyberVolk’s RaaS operations are managed by means of Telegram, costing potential clients between $800 and $1,100 for both a Home windows or Linux model, or between $1,600 and $2,200 for each working methods. VolkLocker payloads include built-in Telegram automation for command-and-control, permitting customers to message victims, provoke file decryption, listing energetic victims, and get system info.
As of November 2025, the risk actors have marketed a distant entry trojan and keylogger, each priced at $500 every, indicating a broadening of their monetization technique.
CyberVolk launched its personal RaaS in June 2024. Identified for conducting distributed denial-of-service (DDoS) and ransomware assaults on public and authorities entities to assist Russian authorities pursuits, it is believed to be of Indian origin.
“Regardless of repeated Telegram account bans and channel removals all through 2025, CyberVolk has reestablished its operations and expanded its service choices,” Walter mentioned. “Defenders ought to see CyberVolk’s adoption of Telegram-based automation as a mirrored image of broader traits amongst politically-motivated risk actors. These teams proceed to decrease limitations for ransomware deployment whereas working on platforms that present handy infrastructure for legal providers.”
Elevate your perspective with NextTech Information, the place innovation meets perception.
Uncover the newest breakthroughs, get unique updates, and join with a worldwide community of future-focused thinkers.
Unlock tomorrow’s traits at present: learn extra, subscribe to our e-newsletter, and grow to be a part of the NextTech neighborhood at NextTech-news.com
