- The pro-Russian hacktivist group CyberVolk introduced a flawed Ransomware-as-a-service named VolkLocker in August 2025.
- VolkLocker targets both Windows and Linux systems and encrypts files using AES-256 Galois/Counter Mode.
- Critical errors in VolkLocker’s design expose master keys, allowing files to be decrypted without paying ransom.
- The ransomware enforces a 48-hour deadline with a destructive timer that wipes key user folders if conditions are unmet.
- CyberVolk sells ransomware and Malware tools through Telegram, continuing its operations despite bans and takedowns.
The pro-Russian hacktivist group CyberVolk (also known as GLORIAMIST) relaunched ransomware-as-a-service (RaaS) named VolkLocker in August 2025. The malware targets Windows and Linux systems and is developed in the Golang programming language. This new ransomware variant comes with automation features operated through the Telegram messaging platform, allowing users to manage victims remotely.
Operators setting up new VolkLocker builds must provide several parameters, including a Bitcoin address, Telegram bot token, chat ID, encryption deadline, desired file extensions, and self-destruct options, as explained by security researcher Jim Walter in a detailed report. Once executed, VolkLocker escalates privileges, performs system reconnaissance, and identifies files to encrypt based on its configuration. It uses AES-256 encryption in Galois/Counter Mode—a cryptographic method combining encryption and authentication—with unique file extensions such as “.locked” or “.cvolk.”
However, analysis of test samples revealed a significant vulnerability: the ransomware’s master cryptographic keys are hard-coded into the executable files and also saved as plaintext in a file named “system_backup.key” within the %TEMP% directory. This file is never removed, effectively allowing victims to restore their data without paying the ransom.
VolkLocker modifies Windows Registry settings to hinder recovery and analysis processes, deletes volume shadow copies (which are backup snapshots), and terminates security-related processes including Microsoft Defender Antivirus. Notably, the ransomware implements a strict timer that erases the contents of key user directories like Documents, Desktop, Downloads, and Pictures if ransom is not paid within 48 hours or if incorrect decryption keys are entered three times.
CyberVolk charges approximately $800–$1,100 (USD) for either the Windows or Linux versions of VolkLocker, or $1,600–$2,200 for both platforms. Their service includes Telegram-based command-and-control features for victim communication and system management. Since November 2025, the group has also offered a remote access trojan and keylogger at about $500 each, signaling an expansion in their criminal offerings.
Originating possibly in India and known for carrying out politically motivated cyberattacks supporting Russian interests, CyberVolk began its RaaS program in June 2024. Despite repeated bans and channel removals on Telegram throughout 2025, the group has restored its operations and grown its range of cybercrime tools. “Defenders should see CyberVolk’s adoption of Telegram-based automation as a reflection of broader trends among politically-motivated threat actors,” Jim Walter stated, highlighting how such groups simplify ransomware deployment and leverage convenient online platforms.source
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Delaware ACA Enrollment Closes Tonight: Hours Left to Apply
- Strategy Survives Nasdaq 100 Shakeup as Crypto Rules Face Scrutiny
- Kevin Hassett: Trump’s Voice Won’t Influence Fed Rate Decisions
- Buterin Sells UNI, KNC, DINU; Meme Coin DINU Drops 18% on Thin Liquidity
- Bitcoin Near $89K Amid Low Liquidity and Market Caution in Asia
