The pro-Russian hacktivist group known as CyberVolk (aka GLORIAMIST) has resurfaced with a new ransomware-as-a-service (RaaS) offering called VolkLocker that suffers from implementation lapses in test artifacts, allowing users to decrypt files without paying an extortion fee.
According to SentinelOne, VolkLocker (aka CyberVolk 2.x) emerged in August 2025 and is capable of targeting both Windows and Linux systems. It’s written in Golang.
“Operators building new VolkLocker payloads must provide a bitcoin address, Telegram bot token ID, Telegram chat ID, encryption deadline, desired file extension, and self-destruct options,” security researcher Jim Walter said in a report published last week.
Once launched, the ransomware attempts to escalate privileges, performs reconnaissance and system enumeration, including checking local MAC address prefixes against known virtualization vendors like Oracle and VMware. In the next stage, it lists all available drives and determines the files to be encrypted based on the embedded configuration.
VolkLocker uses AES-256 in Galois/Counter Mode (GCM) for encryption through Golang’s “crypto/rand” package. Every encrypted file is assigned a custom extension such as .locked or .cvolk.
However, an analysis of the test samples has uncovered a fatal flaw where the locker’s master keys are not only hard-coded in the binaries, but are also used to encrypt all files on a victim system. More importantly, the master key is also written to a plaintext file in the %TEMP% folder (“C:UsersAppDataLocalTempsystem_backup.key”).
Since this backup key file is never deleted, the design blunder enables self-recovery. That said, VolkLocker has all the hallmarks typically associated with a ransomware strain. It makes Windows Registry modifications to thwart recovery and analysis, deletes volume shadow copies, and terminates processes associated with Microsoft Defender Antivirus and other common analysis tools.
However, where it stands out is in the use of an enforcement timer, which wipes the content of user folders, viz. Documents, Desktop, Downloads, and Pictures, if victims fail to pay within 48 hours or enter the wrong decryption key three times.
CyberVolk’s RaaS operations are managed through Telegram, costing prospective customers between $800 and $1,100 for either a Windows or Linux version, or between $1,600 and $2,200 for both operating systems. VolkLocker payloads come with built-in Telegram automation for command-and-control, allowing users to message victims, initiate file decryption, list active victims, and get system information.
As of November 2025, the threat actors have advertised a remote access trojan and keylogger, both priced at $500 each, indicating a broadening of their monetization strategy.
CyberVolk launched its own RaaS in June 2024. Known for conducting distributed denial-of-service (DDoS) and ransomware attacks on public and government entities to support Russian government interests, it’s believed to be of Indian origin.
“Despite repeated Telegram account bans and channel removals throughout 2025, CyberVolk has reestablished its operations and expanded its service offerings,” Walter said. “Defenders should see CyberVolk’s adoption of Telegram-based automation as a reflection of broader trends among politically-motivated threat actors. These groups continue to lower barriers for ransomware deployment while operating on platforms that provide convenient infrastructure for criminal services.”
