A pro-Russian hacktivist group known as CyberVolk (also known as GLORIAMIST) has resurfaced with a new ransomware-as-a-service (RaaS) product called VolkLocker, which allows users to decrypt files without paying extortion fees, plagued by a testing artifact implementation error.
According to SentinelOne, VolkLocker (also known as CyberVolk 2.x) will appear in August 2025 and can target both Windows and Linux systems. Written in Golang.
“Operators building new VolkLocker payloads must provide a Bitcoin address, Telegram bot token ID, Telegram chat ID, encryption expiration date, desired file extension, and self-destruct option,” security researcher Jim Walter said in a report published last week.
Once launched, the ransomware attempts to escalate privileges and performs reconnaissance and system enumeration, including checking local MAC address prefixes against known virtualization vendors such as Oracle and VMware. The next stage is to list all available drives and decide which files to encrypt based on the embedded configuration.
VolkLocker uses AES-256 in Galois/Counter mode (GCM) for encryption with Golang’s “crypto/rand” package. All encrypted files are assigned a custom extension such as .locked or .cvolk.
However, analysis of test samples revealed a fatal flaw in that the locker’s master key is not only hard-coded into the binary, but is also used to encrypt all files on the victim’s system. More importantly, the master key is also written to a plain text file in the %TEMP% folder (“C:\Users\AppData\Local\Temp\system_backup.key”).
This backup key file is never deleted, allowing for self-healing due to a design error. That said, VolkLocker has all the characteristics typically associated with ransomware. It modifies the Windows registry to interfere with recovery and analysis, remove volume shadow copies, and terminate processes related to Microsoft Defender Antivirus and other popular analysis tools.
However, what stands out is the use of a force timer that clears the contents of user folders. Documents, desktops, downloads, and images if the victim fails to pay within 48 hours or enters the wrong decryption key three times.
CyberVolk’s RaaS operations are managed through Telegram and cost prospective customers between $800 and $1,100 for Windows or Linux versions, and between $1,600 and $2,200 for both operating systems. The VolkLocker payload incorporates Telegram automation for command and control, allowing users to send messages to victims, initiate file decryption, list active victims, and obtain system information.
As of November 2025, attackers are advertising remote access trojans and keyloggers, both priced at $500 each, indicating a growing monetization strategy.
CyberVolk launched its own RaaS in June 2024. It is known for conducting distributed denial of service (DDoS) and ransomware attacks against public institutions and government institutions in support of Russian government interests, and is believed to have originated in India.
“Despite repeated bans and channel deletions of Telegram accounts throughout 2025, Cyberbork re-established its business and expanded its service offering,” Walter said. “Defenders should view CyberVolk’s adoption of Telegram-based automation as reflecting a broader trend among politically motivated threat actors. These groups continue to lower the barrier to ransomware deployment while operating on platforms that provide convenient infrastructure for criminal services.”
Source link
