- CyberVolk has resurfaced with a revamped ransomware-as-a-service model, but its encryptor is fundamentally flawed
- VolkLocker’s hardcoded encryption key allows victims to recover data for free, compromising the operation
- The Group operates entirely via Telegram and combines hacktivism and financially motivated ransomware activity.
CyberVolk, a Russian hacktivist group dormant for most of 2025, is back, offering an updated version of its RaaS model to its affiliates. However, there appears to be a gaping structural hole in the cipher that renders the entire model harmless.
CyberVolk is a relatively young pro-Russian hacktivist collective that emerged in 2024. The group’s entire infrastructure is on Telegram, making it a simple process for affiliates to lock files and demand a ransom, even if they aren’t very tech-savvy.
When the platform targeted the group in 2024 and shut down a few of its channels, the group disappeared. Today it is back, but it seems to work on the same principle: everything is managed through Telegram, and potential customers and operational queries are directed to the main bot.
Google employees against the war
Most hacktivists engage in distributed denial of service (DDoS) attacks, cyber espionage, and data theft.
CyberVolk, however, has added ransomware to the mix, making it unclear whether they are truly hacktivists or simply money-motivated cybercriminals hiding behind a pro-Russian stance. This was confirmed by cybersecurity researchers Sentinel One, whose latest report delves deeper into the group and its modus operandi.
The encryptor, VolkLocker, includes built-in Telegram automation for command and control, while the C2 is customizable. “Some CyberVolk operators have published examples that include additional features, such as controlling keylogging,” the researchers explained.
It also has functions that alert operators when a new infection occurs, similar to Telegram-enabled infostealers. When a host is infected, basic system information and a screenshot are sent to the configured Telegram chat.
But the encryption key of the tool is not generated dynamically. It is hardcoded as a hexadecimal string in binaries, allowing victims to recover all encrypted data without paying extraction fees. SentinelOne believes the key was probably left there by mistake, in the same way that legitimate software developers sometimes forget passwords in their products – so this is a disappointing return for the group.
Via The register
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
