Cybervolk’s Ransomware Debut Stumbles On Cryptography Weakness

The pro-Russia hacktivist group CyberVolk launched a ransomware-as-a-service (RaaS) called VolkLocker that suffered from serious implementation flaws, allowing victims to potentially decrypt files for free.

According to SentinelOne researchers who examined the new ransomware family, the encryptor uses a hardcoded master key in the binary, which is also written in plaintext in a hidden file on affected machines.

This allows targeted companies to use the key to decrypt files for free, undermining VolkLocker's potential in the cybercrime space.

CyberVolk is reportedly an India-based pro-Russia hacktivist collective that started operations last year, launching distributed denial of service and ransomware attacks against public and government entities opposing Russia or siding with Ukraine.

While the group was disrupted on Telegram, it returned in August 2025 with a new RaaS program, VolkLocker (CyberVolk 2.x), which targets both Linux/VMware ESXi and Windows systems.

An interesting feature of VolkLocker is the use of a Golang timer function in its code, which, when it expires or when an incorrect key is entered in the HTML ransomware note, triggers the wiping of user folders (Documents, Downloads, Pictures, and Desktop).

Access to the RaaS costs between $800 and $1,100 for a single OS architecture, or $1,600 to $2,200 for both.

Purchasers can access a builder bot on Telegram to customize the encryptor and receive the generated payload.

In November 2025, the same threat group began advertising a remote access trojan and a keylogger, both priced at $500 each.

VolkLocker uses AES-256 in GCM (Galois/Counter Mode) encryption, with a 32-bit master key derived from a 64-character hex string embedded in the binary.

Source: BleepingComputer