Key Takeaways
- The pro-Russian hacktivist group CyberVolk has launched a new ransomware-as-a-service (RaaS) offering called VolkLocker.
- VolkLocker suffers from implementation lapses, allowing users to decrypt files without paying an extortion fee.
- The ransomware targets both Windows and Linux systems and uses AES-256 in Galois/Counter Mode (GCM) for encryption.
- CyberVolk’s RaaS operations are managed through Telegram, with prices ranging from $800 to $2,200.
- The group has expanded its service offerings to include a remote access trojan and keylogger, priced at $500 each.
Introduction to CyberVolk and VolkLocker
The pro-Russian hacktivist group known as CyberVolk, also referred to as GLORIAMIST, has resurfaced with a new ransomware-as-a-service (RaaS) offering called VolkLocker. This new ransomware strain has been found to have implementation lapses in its test artifacts, which allows users to decrypt files without paying an extortion fee. According to SentinelOne, VolkLocker emerged in August 2025 and is capable of targeting both Windows and Linux systems. It is written in Golang, a programming language that is increasingly being used by cybercriminals due to its ease of use and cross-platform compatibility.
VolkLocker’s Capabilities and Flaws
VolkLocker’s capabilities include escalating privileges, performing reconnaissance and system enumeration, and listing all available drives to determine the files to be encrypted. The ransomware uses AES-256 in Galois/Counter Mode (GCM) for encryption through Golang’s "crypto/rand" package. Every encrypted file is assigned a custom extension such as.locked or.cvolk. However, an analysis of the test samples has uncovered a fatal flaw where the locker’s master keys are not only hard-coded in the binaries but are also used to encrypt all files on a victim system. More importantly, the master key is also written to a plaintext file in the %TEMP% folder, which enables self-recovery.
VolkLocker’s Ransomware Tactics
VolkLocker has all the hallmarks typically associated with a ransomware strain. It makes Windows Registry modifications to thwart recovery and analysis, deletes volume shadow copies, and terminates processes associated with Microsoft Defender Antivirus and other common analysis tools. The ransomware also uses an enforcement timer, which wipes the content of user folders, such as Documents, Desktop, Downloads, and Pictures, if victims fail to pay within 48 hours or enter the wrong decryption key three times. This tactic is designed to increase the pressure on victims to pay the ransom, and it highlights the importance of having robust backup and disaster recovery systems in place.
CyberVolk’s RaaS Operations
CyberVolk’s RaaS operations are managed through Telegram, with prices ranging from $800 to $2,200. The group offers a Windows or Linux version of VolkLocker, or both operating systems, with the price depending on the customer’s requirements. The payloads come with built-in Telegram automation for command-and-control, allowing users to message victims, initiate file decryption, list active victims, and get system information. This level of automation and customer support is unusual in the ransomware-as-a-service market, and it highlights the sophistication and professionalism of CyberVolk’s operations.
CyberVolk’s History and Motivations
CyberVolk launched its own RaaS in June 2024 and is known for conducting distributed denial-of-service (DDoS) and ransomware attacks on public and government entities to support Russian government interests. The group is believed to be of Indian origin, and its motivations are likely driven by a combination of financial and ideological factors. Despite repeated Telegram account bans and channel removals throughout 2025, CyberVolk has reestablished its operations and expanded its service offerings. This resilience and adaptability highlight the challenges faced by law enforcement and cybersecurity professionals in disrupting and dismantling ransomware groups.
Conclusion and Recommendations
In conclusion, CyberVolk’s new ransomware-as-a-service offering, VolkLocker, poses a significant threat to organizations and individuals alike. The ransomware’s implementation lapses and flaws provide a glimmer of hope for victims, but the group’s sophistication and professionalism highlight the need for robust cybersecurity measures. Defenders should be aware of the broader trends among politically-motivated threat actors, who continue to lower barriers for ransomware deployment while operating on platforms that provide convenient infrastructure for criminal services. As such, it is essential to prioritize cybersecurity awareness, implement robust backup and disaster recovery systems, and stay informed about the latest threats and trends in the ransomware landscape.
