A pro-Russian hacktivist collective operating as CyberVolk has re-emerged with a ransomware-as-a-service product called VolkLocker that security researchers say surfaced in August 2025 and can target both Windows and Linux systems.
Operators building new VolkLocker builds must provide configuration parameters such as a bitcoin address, Telegram bot token ID, Telegram chat ID, an encryption deadline, desired file extensions and self-destruct options, according to SentinelOne researcher Jim Walter. The ransomware attempts privilege escalation and system enumeration, including checks of local MAC address prefixes for virtualization vendors, before selecting files to encrypt.
Analysts found a significant implementation flaw: VolkLocker samples examined include hard-coded master keys that are used to encrypt files, and the same master key is written in plaintext to a file in the temporary folder at C:\Users\AppData\Local\Temp\system_backup.key. Because that backup key file is not removed, investigators say victims can recover files without paying the extortion demand.
Despite the coding error, the malware contains many typical ransomware behaviors: it uses AES-256 in Galois/Counter Mode (GCM) via Golang’s crypto packages, appends extensions such as .locked and .cvolk, modifies the Windows Registry to hinder recovery and analysis, deletes volume shadow copies and terminates processes associated with antivirus and analysis tools. The strain also includes an enforcement timer that will wipe user folders such as Documents, Desktop, Downloads and Pictures after 48 hours or after three incorrect decryption attempts.
CyberVolk operates the RaaS offering through Telegram and advertises payloads for sale, with prices reported in the range of $800 to $1,100 for a single operating system build and $1,600 to $2,200 for both Windows and Linux; the group has added other tools such as a remote access trojan and a keylogger priced at about $500 each as of November 2025. The group, which launched its RaaS in June 2024 and is believed to be of Indian origin, bundles Telegram automation for victim messaging, decryption and victim management.