Dec 15, 2025Ravie LakshmananRansomware / Cybercrime
The professional-Russian hacktivist group generally known as CyberVolk (aka GLORIAMIST) has resurfaced with a brand new ransomware-as-a-service (RaaS) providing known as VolkLocker that suffers from implementation lapses in check artifacts, permitting customers to decrypt information with out paying an extortion payment.
In keeping with SentinelOne, VolkLocker (aka CyberVolk 2.x) emerged in August 2025 and is able to concentrating on each Home windows and Linux programs. It is written in Golang.
“Operators constructing new VolkLocker payloads should present a bitcoin handle, Telegram bot token ID, Telegram chat ID, encryption deadline, desired file extension, and self-destruct choices,” safety researcher Jim Walter mentioned in a report printed final week.
As soon as launched, the ransomware makes an attempt to escalate privileges, performs reconnaissance and system enumeration, together with checking native MAC handle prefixes in opposition to identified virtualization distributors like Oracle and VMware. Within the subsequent stage, it lists all obtainable drives and determines the information to be encrypted based mostly on the embedded configuration.
VolkLocker makes use of AES-256 in Galois/Counter Mode (GCM) for encryption by way of Golang’s “crypto/rand” package deal. Each encrypted file is assigned a customized extension comparable to .locked or .cvolk.
Nonetheless, an evaluation of the check samples has uncovered a deadly flaw the place the locker’s grasp keys are usually not solely hard-coded within the binaries, however are additionally used to encrypt all information on a sufferer system. Extra importantly, the grasp key can also be written to a plaintext file within the %TEMP% folder (“C:UsersAppDataLocalTempsystem_backup.key”).
Since this backup key file isn’t deleted, the design blunder allows self-recovery. That mentioned, VolkLocker has all of the hallmarks usually related to a ransomware pressure. It makes Home windows Registry modifications to thwart restoration and evaluation, deletes quantity shadow copies, and terminates processes related to Microsoft Defender Antivirus and different frequent evaluation instruments.
Nonetheless, the place it stands out is in the usage of an enforcement timer, which wipes the content material of person folders, viz. Paperwork, Desktop, Downloads, and Photos, if victims fail to pay inside 48 hours or enter the mistaken decryption key thrice.
CyberVolk’s RaaS operations are managed by way of Telegram, costing potential clients between $800 and $1,100 for both a Home windows or Linux model, or between $1,600 and $2,200 for each working programs. VolkLocker payloads include built-in Telegram automation for command-and-control, permitting customers to message victims, provoke file decryption, listing lively victims, and get system data.
As of November 2025, the risk actors have marketed a distant entry trojan and keylogger, each priced at $500 every, indicating a broadening of their monetization technique.
CyberVolk launched its personal RaaS in June 2024. Recognized for conducting distributed denial-of-service (DDoS) and ransomware assaults on public and authorities entities to assist Russian authorities pursuits, it is believed to be of Indian origin.
“Regardless of repeated Telegram account bans and channel removals all through 2025, CyberVolk has reestablished its operations and expanded its service choices,” Walter mentioned. “Defenders ought to see CyberVolk’s adoption of Telegram-based automation as a mirrored image of broader traits amongst politically-motivated risk actors. These teams proceed to decrease obstacles for ransomware deployment whereas working on platforms that present handy infrastructure for legal providers.”
