The pro-Russia hacktivist group CyberVolk has reemerged with a new ransomware-as-a-service platform called VolkLocker, supporting both Linux and Windows systems. First documented in 2024 by SentinelOne, the group returned after a period of inactivity caused by Telegram bans. Despite advanced automation via Telegram bots, the malware features significant encryption flaws that could allow victims to recover files without payment.
CyberVolk, a pro-Russia hacktivist group aligned with Russian interests, first gained attention in late 2024 through attacks using various ransomware families. After going silent due to Telegram enforcement actions earlier in the year, the group resurfaced in August 2025 with VolkLocker, a ransomware-as-a-service (RaaS) operation written in Golang. This cross-platform malware expands the group's reach by targeting both Windows and Linux environments, enabling operators to build variants with simple inputs like a Bitcoin address, Telegram bot token, chat ID, encryption deadline, custom file extension, and self-destruct options.
VolkLocker relies heavily on Telegram for automation, with the bot 'CyberVolk_Kbot' handling victim communications, infection control, and decryption management. The ransomware uses AES-256 in Galois/Counter Mode (GCM) encryption, employing a 32-byte master key encoded as a 64-character hex string. However, a critical flaw persists: the same hardcoded master key is used for all files and saved in plaintext within a file containing the victim ID and attacker's Bitcoin address. Security researchers from SentinelOne attribute this to a developer test function accidentally left in production builds, highlighting the group's immature quality control.
On Windows, VolkLocker attempts privilege escalation by exploiting the 'ms-settings' User Account Control bypass, modifying the registry key HKCU\Software\Classes\ms-settings\shell\open\command to run with administrator rights. It disables Windows Defender and recovery tools via registry edits and PowerShell, blocks access to Task Manager, Command Prompt, and Registry Editor, and ensures persistence by copying itself to directories like %APPDATA%, %PUBLIC%\Documents, and %ProgramData%\Microsoft\Network. The malware also performs environmental discovery, enumerating processes to detect virtual machines such as VirtualBox, VMware, and QEMU, and checking MAC addresses against vendor prefixes to evade sandboxes.
A dynamic HTML ransom note appears with a 48-hour countdown timer, though the visual is cosmetic. After the deadline, an independent routine corrupts processes, deletes user directories, wipes Volume Shadow Copies, and triggers a Blue Screen of Death using the NtRaiseHardError() API. Similar encryption and Telegram controls apply to Linux variants. Base builds lack obfuscation, recommending UPX packing for operators.
Indicators of compromise include Windows sample hash dcd859e5b14657b733dfb0c22272b82623466321, Linux sample 0948e75c94046f0893844e3b891556ea48188608, Bitcoin address bc1qujgdzl0v82gh9pvmg3ftgnknl336ku26nnp0vy, and Telegram bot @CyberVolk_Kbot. While the flaws undermine its effectiveness, VolkLocker demonstrates how politically motivated actors are streamlining ransomware via messaging platforms.
