CyberVolk Returns | Flawed VolkLocker Brings New Features With Growing Pains
Summary:
Cybersecurity researchers have documented the return of CyberVolk, a pro-Russia hacktivist persona that has evolved into a Ransomware-as-a-Service (RaaS) provider following a period of dormancy in early 2025. Their new offering, VolkLocker, is a Golang-based ransomware targeting both Windows and Linux environments. The group distinguishes itself through heavy reliance on Telegram-based automation for command and control, allowing affiliates to manage infections, broadcast messages, and trigger file decryption via a bot interface. VolkLocker employs an "ms-settings" UAC bypass for privilege escalation and AES-256-GCM for encryption. Notably, the current version contains a critical design flaw: the master encryption key is not generated dynamically but is hardcoded and backed up in plaintext to the %TEMP%\system_backup[.]key folder. This provides a direct, cost-free recovery path for victims. Despite this quality control failure, the group is aggressively expanding, recently adding standalone Remote Access Trojans (RATs) and keyloggers to their service portfolio.
Security Officer Comments:
The re-emergence of CyberVolk represents a high-priority threat because their hacktivist roots drive them to prioritize targets aligned with Russian state interests rather than purely financial gain. Public institutions and critical infrastructure providers in sectors such as government, finance, and utilities should consider themselves high-probability targets for these politically motivated campaigns. Furthermore, the group's shift toward a low-barrier RaaS model, leveraging Telegram to automate the entire attack lifecycle, enables them to recruit a high volume of lesser-skilled affiliates. This industrialization of their workflow increases the overall frequency of attacks, regardless of the current bugs in their payloads. Most importantly, the discovery of "debug artifacts" like hardcoded keys in the VolkLocker builds underscores the critical importance of information-sharing.
Suggested Corrections:
To defend against the specific techniques utilized by VolkLocker, organizations should prioritize monitoring registry integrity and hardening system configurations against unauthorized administrative changes.
Link(s):
https://www.sentinelone.com/blog/cy...ocker-brings-new-features-with-growing-pains/
Cybersecurity researchers have documented the return of CyberVolk, a pro-Russia hacktivist persona that has evolved into a Ransomware-as-a-Service (RaaS) provider following a period of dormancy in early 2025. Their new offering, VolkLocker, is a Golang-based ransomware targeting both Windows and Linux environments. The group distinguishes itself through heavy reliance on Telegram-based automation for command and control, allowing affiliates to manage infections, broadcast messages, and trigger file decryption via a bot interface. VolkLocker employs an "ms-settings" UAC bypass for privilege escalation and AES-256-GCM for encryption. Notably, the current version contains a critical design flaw: the master encryption key is not generated dynamically but is hardcoded and backed up in plaintext to the %TEMP%\system_backup[.]key folder. This provides a direct, cost-free recovery path for victims. Despite this quality control failure, the group is aggressively expanding, recently adding standalone Remote Access Trojans (RATs) and keyloggers to their service portfolio.
Security Officer Comments:
The re-emergence of CyberVolk represents a high-priority threat because their hacktivist roots drive them to prioritize targets aligned with Russian state interests rather than purely financial gain. Public institutions and critical infrastructure providers in sectors such as government, finance, and utilities should consider themselves high-probability targets for these politically motivated campaigns. Furthermore, the group's shift toward a low-barrier RaaS model, leveraging Telegram to automate the entire attack lifecycle, enables them to recruit a high volume of lesser-skilled affiliates. This industrialization of their workflow increases the overall frequency of attacks, regardless of the current bugs in their payloads. Most importantly, the discovery of "debug artifacts" like hardcoded keys in the VolkLocker builds underscores the critical importance of information-sharing.
Suggested Corrections:
To defend against the specific techniques utilized by VolkLocker, organizations should prioritize monitoring registry integrity and hardening system configurations against unauthorized administrative changes.
- Audit Registry Permissions: Monitor for unauthorized modifications to the HKCU\\Software\\Classes\\ms-settings\\shell\\open\\command registry key. This is the specific vector used by VolkLocker for UAC bypass and privilege escalation.
- Identify Local Key Backups: In the event of a suspected infection, incident responders should immediately check for the presence of %TEMP%\\system_backup.key. Identifying this plaintext artifact can allow for immediate data recovery without interacting with the threat actors.
- Harden PowerShell and CMD: Implement PowerShell Constrained Language Mode and restrict access to cmd[.]exe for non-administrative users. This prevents the malware from successfully executing the scripts required to disable Windows Defender and other security tools.
- Monitor Network Telemetry: Since the C2 infrastructure is entirely Telegram-based, organizations should monitor for and alert on unusual outbound traffic to Telegram API ranges from servers or critical workstations.
- Immutable Backups: Maintain offline or immutable cloud backups to ensure data can be restored even if the ransomware successfully executes its destructive routines, which include deleting local Volume Shadow Copies.
Link(s):
https://www.sentinelone.com/blog/cy...ocker-brings-new-features-with-growing-pains/