Ethical Hacking News
Pro-Russia hacktivist group CyberVolk has launched a new ransomware-as-a-service (RaaS) called VolkLocker, which suffers from a critical cryptography weakness that could allow victims to decrypt their files for free. The vulnerability was discovered by SentinelOne researchers and highlights the importance of staying vigilant against cyber threats.
CyberVolk, a pro-Russia hacktivist group, has launched VolkLocker, a new ransomware-as-a-service (RaaS) program. The program uses a critical cryptography weakness that could allow victims to decrypt files for free. The vulnerability was discovered by SentinelOne researchers and is due to a hardcoded master key and plaintext file containing the same key on affected machines. The encryptor used by Volk Locker is AES-256 in GCM encryption with a 32-bit master key derived from a 64-character hex string. A plaintext file containing the master key was found in the %TEMP% folder, allowing for potential decryption without paying the ransom. CyberVolk's activities have raised concerns about the spread of malware and potential further attacks. The discovery has sparked debate among cybersecurity experts on whether to disclose such information publicly.
CyberVolk, a pro-Russia hacktivist group believed to be based in India, has launched a new ransomware-as-a-service (RaaS) program called VolkLocker. The program has been marred by a critical cryptography weakness that could potentially allow targeted companies to decrypt files for free.
The vulnerability was discovered by SentinelOne researchers, who examined the new ransomware family and found that it uses a hardcoded master key in the binary, as well as a plaintext file containing the same key on affected machines. This allows victims to use the key to decrypt their files, undermining the effectiveness of VolkLocker's potential in the cybercrime space.
According to SentinelOne, the encryptor used by Volk Locker is AES-256 in GCM (Galois/Counter Mode) encryption, with a 32-bit master key derived from a 64-character hex string embedded in the binary. A random 12-byte nonce is used as the initialization vector (IV) for each file, deleting the original file and appending the .locked or .cvolk file extension to the encrypted copy.
The problem lies in the fact that VolkLocker uses the same master key to encrypt all files on a victim system, and that same key is also written to a plaintext file (system_backup.key) in the %TEMP% folder. This means that if the ransomware never deletes this backup key file, victims could attempt file recovery by extracting the necessary values from the file.
"This isn't a core encryption flaw but rather a testing artifact that's inadvertently getting shipped to some production builds by incompetent operators and isn't a reliable decryption mechanism beyond those cases," explained a SentinelOne spokesperson. "It's more representative of the ecosystem that CyberVolk is trying to enable through this RaaS offering."
CyberVolk has been involved in various high-profile attacks against public and government entities opposing Russia or siding with Ukraine. The group has used distributed denial-of-service (DDoS) attacks, as well as ransomware and other forms of malware.
The VolkLocker RaaS program is available for purchase between $800 and $1,100 for a single OS architecture, or $1,600 to $2,200 for both Windows and Linux/VMware ESXi systems. Purchasers can access a builder bot on Telegram to customize the encryptor and receive the generated payload.
In November 2025, CyberVolk began advertising a remote access trojan and a keylogger, both priced at $500 each. The group's activities have raised concerns about the spread of malware and the potential for further attacks.
The discovery of VolkLocker's cryptography weakness has sparked debate among cybersecurity experts about whether it is advisable to disclose such information publicly. Some argue that disclosing vulnerabilities can help prevent exploitation by malicious actors, while others believe that doing so could compromise the effectiveness of the vulnerability being exploited.
In this case, SentinelOne has chosen to disclose the flaw publicly, citing the fact that it represents a testing artifact that is inadvertently being shipped to some production builds and is not a reliable decryption mechanism beyond those cases. The group's spokesperson emphasized that CyberVolk is trying to enable an ecosystem through its RaaS offering, rather than intentionally creating a vulnerability.
The disclosure of VolkLocker's cryptography weakness serves as a reminder of the importance of keeping up-to-date with the latest cybersecurity threats and vulnerabilities. It also highlights the need for companies and individuals to be vigilant when dealing with ransomware and other forms of malware.
Related Information:
https://www.ethicalhackingnews.com/articles/CyberVolks-Ransomware-Debuts-with-Cryptography-Weakness-Leaving-Victims-with-a-Glimmer-of-Hope-ehn.shtml
https://www.bleepingcomputer.com/news/security/cybervolks-ransomware-debut-stumbles-on-cryptography-weakness/
https://cybersecuritynews.com/cybervolk-hackers-group-with-new-volklocker-payloads/
https://www.sentinelone.com/labs/cybervolk-a-deep-dive-into-the-hacktivists-tools-and-ransomware-fueling-pro-russian-cyber-attacks/
Published: Sun Dec 14 10:13:36 2025 by llama3.2 3B Q4_K_M
