The pro-Russia hacktivist group CyberVolk launched a ransomware-as-a-service (RaaS) called VolkLocker that suffered from serious implementation flaws, allowing victims to potentially decrypt files for free.
According to SentinelOne researchers who examined the new ransomware family, the encryptor uses a hardcoded master key in the binary, which is also written in plaintext in a hidden file on affected machines.
This allows targeted companies to use the key to decrypt files for free, undermining VolkLocker's potential in the cybercrime space.
Hacktivism and cybercrime
CyberVolk is reportedly an India-based pro-Russia hacktivist collective that started operations last year, launching distributed denial of service and ransomware attacks against public and government entities opposing Russia or siding with Ukraine.
While the group was disrupted on Telegram, it returned in August 2025 with a new RaaS program, VolkLocker (CyberVolk 2.x), which targets both Linux/VMware ESXi and Windows systems.
An interesting feature of VolkLocker is the use of a Golang timer function in its code, which, when it expires or when an incorrect key is entered in the HTML ransomware note, triggers the wiping of user folders (Documents, Downloads, Pictures, and Desktop).
The timer function that triggers the wiper
Source: SentinelOne
Access to the RaaS costs between $800 and $1,100 for a single OS architecture, or $1,600 to $2,200 for both.
... continue reading