Cybersecurity researchers have exposed a critical design flaw in a new ransomware strain called VolkLocker, allowing victims to recover their files without paying a ransom. The malware is operated by the pro Russian hacktivist group CyberVolk, also known as GLORIAMIST, and is offered under a ransomware as a service model.
The weakness lies in poor cryptographic implementation practices that leave encryption keys accessible on infected systems, effectively neutralizing the extortion attempt.
Emergence of VolkLocker RaaS
According to analysis published by SentinelOne, VolkLocker, also referred to as CyberVolk 2.x, first appeared in August 2025. The ransomware is written in Golang and supports attacks against both Windows and Linux operating systems.
Security researcher Jim Walter noted that operators generating new VolkLocker payloads must configure several parameters. These include a Bitcoin wallet address, Telegram bot token, Telegram chat ID, encryption deadline, custom file extension, and optional self destruct behavior.
Infection Flow and Encryption Logic
Once executed, VolkLocker attempts to escalate privileges and conducts system reconnaissance. This includes enumerating system details and checking MAC address prefixes against known virtualization vendors such as Oracle and VMware to identify sandbox or virtual environments.
The ransomware then enumerates all available storage volumes and selects files for encryption based on its embedded configuration. File encryption is performed using AES 256 in Galois Counter Mode through Golang’s crypto random package. Encrypted files are renamed with attacker defined extensions such as .locked or .cvolk.
Critical Implementation Flaw Enables Recovery
Analysis of VolkLocker test artifacts revealed a severe flaw in its cryptographic design. The ransomware uses a single master encryption key that is hard coded directly into the binary. This same master key is reused to encrypt all files on the victim system.
More critically, the malware writes this master key in plaintext to a local file located in the temporary directory at
C:\Users\AppData\Local\Temp\system_backup.key
Because this file is never deleted during or after encryption, victims can retrieve the key and decrypt their files without interacting with the attackers or paying a ransom.
Destructive Pressure Tactics and System Changes
Despite this weakness, VolkLocker exhibits many behaviors commonly associated with mature ransomware families. It modifies the Windows Registry to hinder recovery, deletes volume shadow copies, and terminates processes related to Microsoft Defender Antivirus and other security or analysis tools.
One notable feature is the use of an enforcement timer. If victims fail to pay within 48 hours or enter an incorrect decryption key three times, the ransomware wipes the contents of key user directories including Documents, Desktop, Downloads, and Pictures. This tactic is designed to increase psychological pressure and accelerate ransom payments.
Telegram Based RaaS Operations
CyberVolk manages its ransomware operations entirely through Telegram. Access to the VolkLocker service reportedly costs between $800 and $1,100 for a single operating system build, either Windows or Linux. Bundled access for both platforms is priced between $1,600 and $2,200.
Each payload includes built in Telegram automation that allows operators to communicate with victims, initiate decryption, list active infections, and retrieve system information directly from chat interfaces.
By November 2025, the group had expanded its offerings to include a remote access trojan and a keylogger, each sold for $500, signaling an expansion beyond ransomware focused monetization.
Background on CyberVolk
CyberVolk launched its ransomware as a service operation in June 2024. The group is known for conducting distributed denial of service attacks and ransomware campaigns against public sector and government aligned entities in support of Russian interests. Despite this alignment, researchers believe the group itself is likely of Indian origin.
According to SentinelOne, CyberVolk has repeatedly re established its presence on Telegram throughout 2025 despite account bans and channel takedowns. The group’s reliance on Telegram automation reflects a broader trend among politically motivated threat actors seeking scalable and low barrier criminal infrastructure.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
