SentinelOne researchers have disclosed a critical flaw in CyberVolk's new VolkLocker ransomware-as-a-service: a hardcoded master key stored in plaintext, enabling victims to decrypt files without ransom payment. Following the group's August 2025 relaunch after Telegram bans, this weakness underscores quality issues in their RaaS ecosystem.
As detailed in prior coverage of VolkLocker's launch, the pro-Russia hacktivist group CyberVolk—known for DDoS and ransomware attacks since 2024—reemerged with this Golang-based RaaS targeting Linux/VMware ESXi and Windows via Telegram builder bots.
The ransomware uses AES-256 in Galois/Counter Mode with a 32-byte master key from a 64-character hex string, applying it uniformly across files (renamed .locked or .cvolk) alongside a random 12-byte nonce IV. Critically, it saves this key in a plaintext file, system_backup.key, in the %TEMP% folder, which persists and allows recovery.
"A test artifact inadvertently shipped in production builds," SentinelOne researchers noted, advising victims to extract the key for decryption.
RaaS access costs $800-$1,100 per OS architecture or $1,600-$2,200 for both, with a Telegram bot for customization. In November 2025, CyberVolk also offered a remote access trojan and keylogger for $500 each.
SentinelOne addressed concerns over early disclosure: "This isn’t a core encryption flaw but a testing artifact from incompetent operators, representative of the ecosystem CyberVolk aims to foster. It’s not reliable beyond specific cases."
While aiding current victims, this may spur fixes, enhancing future VolkLocker versions.
