VolkLocker Ransomware Exposes Vulnerabilities in RaaS Model
Full Transcript
The pro-Russian hacktivist group known as CyberVolk, also referred to as GLORIAMIST, has introduced a new ransomware-as-a-service offering called VolkLocker. According to SentinelOne, VolkLocker, which emerged in August 2025, is capable of targeting both Windows and Linux systems and is written in Golang.
Security researcher Jim Walter reported that operators must provide a bitcoin address, a Telegram bot token ID, a Telegram chat ID, an encryption deadline, a desired file extension, and self-destruct options to build new VolkLocker payloads.
The ransomware attempts to escalate privileges, performs reconnaissance, and enumerates the system by checking local MAC address prefixes against known virtualization vendors like Oracle and VMware. It lists all available drives and determines which files to encrypt based on the embedded configuration.
VolkLocker utilizes AES-256 in Galois/Counter Mode for encryption, and every encrypted file is assigned a custom extension such as .locked or .cvolk. However, a significant flaw has been discovered where the master keys are hard-coded in the binaries and stored in a plaintext file located in the %TEMP% directory, enabling victims to decrypt files without paying the ransom.
Despite its sophisticated features, including making Windows Registry modifications, deleting volume shadow copies, and terminating processes associated with security tools, the design flaw allows self-recovery.
The ransomware includes an enforcement timer that wipes user folders if victims fail to pay within 48 hours or enter the wrong decryption key three times. CyberVolk's RaaS operations are managed through Telegram, with costs between $800 and $1,100 for a Windows or Linux version, and between $1,600 and $2,200 for both operating systems.
Moreover, the group has advertised a remote access trojan and keylogger for $500 each, indicating a broader monetization strategy. CyberVolk launched its own RaaS in June 2024 and is known for targeting public and government entities to support Russian government interests.
Despite facing repeated bans and removals on Telegram throughout 2025, CyberVolk has successfully reestablished its operations and expanded its service offerings. Walter emphasized that CyberVolk's use of Telegram-based automation reflects a trend among politically motivated threat actors, who are lowering barriers for ransomware deployment while utilizing convenient infrastructure for criminal services.