15.12.2025
1 min
485
The pro-Russia hacktivist group CyberVolk has resurfaced in 2025 with a new ransomware-as-a-service called VolkLocker, capable of targeting both Windows and Linux, but a critical implementation flaw allows victims to potentially decrypt their files without paying a ransom.
VolkLocker, a Golang-based ransomware, is configured and managed through Telegram bots where operators specify parameters like bitcoin address, bot token, and chat ID, making deployment accessible even to less skilled affiliates.
Upon execution, the malware performs environment checks and privilege escalation, then encrypts files using AES-256-GCM. However, its master encryption key is hardcoded in the binary and also written in plaintext to a temporary file on the infected system, creating a trivial method for victims to recover data.
Security analysts believe this key storage reflects a test artifact left in production builds, undermining both the ransomware’s effectiveness and the operational quality of CyberVolk’s RaaS platform.
Although VolkLocker’s return could pose a significant threat in the ransomware ecosystem, its fundamental cryptographic vulnerability renders it less dangerous, offering potential free data recovery. Nonetheless, organizations must continue strengthening defenses as such tools evolve.
