Ethical Hacking News
Cybersecurity researchers have uncovered vulnerabilities in the latest ransomware-as-a-service (RaaS) operation from pro-Russian hacktivist collective CyberVolk. The VolkLocker RaaS, which utilizes Telegram's automation features to facilitate its illicit activities, has a critical flaw: it hardcodes master encryption keys into executable files, allowing victims to recover their encrypted data without paying the extortion fee. Despite this oversight, the operation reflects broader trends among politically motivated threat actors.
CyberVolk has resurfaced with a new ransomware-as-a-service (RaaS) called VolkLocker, which uses Telegram's automation features. The operation hardcodes the master encryption key into executable files, allowing victims to recover encrypted data without paying a ransom. CyberVolk operates entirely through Telegram, making it easy for affiliates with limited technical expertise to deploy attacks. Operators can customize VolkLocker with additional capabilities like keylogging and remote access trojan (RAT) commands. A critical oversight in the operation is that it doesn't dynamically generate encryption keys, but rather hardcodes them as hex strings.
Cybersecurity researchers have been monitoring the resurgence of pro-Russian hacktivist collective CyberVolk, which has been active in the dark web since late summer. This latest iteration of the operation, dubbed VolkLocker, is a ransomware-as-a-service (RaaS) that utilizes Telegram's automation features to facilitate its illicit activities.
According to SentinelOne senior threat researcher Jim Walter, who detailed the gang's resurgence and flawed code in a report published on Thursday, CyberVolk 2.x has hardcoded the master encryption key - which encrypts all files on a victim's system - into the executable files. This oversight allows victims to recover their encrypted data without paying the extortion fee.
The operation is run entirely through Telegram, which makes it easy for affiliates with limited technical expertise to deploy ransomware attacks. CyberVolk's soldiers can use the platform's built-in automation features to generate payloads, coordinate attacks, and manage their illicit operations.
CyberVolk's adoption of Telegram-based automation reflects broader trends among politically motivated threat actors, who continue to lower barriers for ransomware deployment while operating on platforms that provide convenient infrastructure for criminal services. The operation is customizable, with some ransomware operators developing additional capabilities including keylogging and remote access trojan (RAT) commands.
Operators building new VolkLocker payloads are required to provide a bitcoin address, Telegram bot token ID, Telegram chat ID, encryption deadline, desired file extension, and self-destruct options. The default Telegram C2 supports various commands that message infected victims, initiate file decryption, list active victims, message specific victims, and retrieve victim system information.
Once the ransomware has been deployed on victims' systems, it escalates privileges, bypassing Windows User Account Control (UAC) to execute malware with admin-level privileges. It determines which files to encrypt based on exclusion lists for specific paths and extensions that have been configured in the malware's code, and the ransomware uses AES-256 in GCM mode for file encryption.
However, CyberVolk's RaaS operation is marred by a critical oversight: it doesn't dynamically generate encryption keys but rather hardcodes them as hex strings. The plaintext master key "likely represents a test artifact inadvertently shipped in production builds," Walter wrote. "CyberVolk operators may be unaware that affiliates are deploying builds with the backupMasterKey() function still embedded."
This suggests that the operation is struggling to maintain quality control while aggressively recruiting lesser-skilled affiliates. Despite this, network defenders should view CyberVolk's adoption of Telegram-based automation as a reflection of broader trends among politically motivated threat actors.
Related Information:
https://www.ethicalhackingnews.com/articles/CyberVolks-Flawed-Ransomware-Operation-Exposes-Vulnerabilities-in-Telegram-Based-Threat-Actors-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2025/12/11/cybervolk_ransomware_is_back/
Published: Thu Dec 11 15:14:52 2025 by llama3.2 3B Q4_K_M
