VolkLocker RaaS Undone by Hard-Coded Master Key

A new ransomware-as-a-service called VolkLocker, run by the pro-Russian hacktivist group CyberVolk (aka GLORIAMIST), contains a critical design flaw that can allow file recovery without paying. SentinelOne researchers report the malware’s master key was hard-coded in test builds and even written in plaintext to a temporary location, a blunder that enables self-recovery in affected samples.

What is VolkLocker

• Emerged in August 2025 and targets both Windows and Linux
• Written in Go and distributed as a RaaS via Telegram
• Builder asks operators to configure BTC payment details, Telegram bot credentials, encryption deadlines, file extensions, and self-destruct options

How the ransomware operates

• Attempts privilege escalation, system reconnaissance, and anti-VM checks using MAC address prefixes tied to virtualization vendors
• Enumerates drives, then encrypts selected files with AES-256 in GCM mode, adding a custom extension
• Anti-recovery measures include Registry changes, deletion of Volume Shadow Copies, and termination of security tools like Microsoft Defender

A fatal implementation lapse

• Test samples use a master key embedded in the binary for all victim files
• The same key is also written in plaintext to a temporary folder and not removed
• Result: Impacted builds allow victims to recover files without paying, undermining the extortion model

Coercion tactics

• An enforcement timer threatens to wipe contents of Documents, Desktop, Downloads, and Pictures if payment is not made within 48 hours or if the wrong key is entered three times

The business model

• Sold via Telegram for 800–1,100 USD per OS (Windows or Linux), or 1,600–2,200 USD for both
• Built-in Telegram automation lets operators message victims, trigger decryption, list active victims, and collect system info
• As of November 2025, CyberVolk also advertises a RAT and keylogger at 500 USD each, signaling a wider criminal toolkit

Who is behind it

• CyberVolk launched its RaaS in June 2024 and is known for DDoS and ransomware against public and government entities supporting Russian interests; the group is believed to be of Indian origin
• Despite repeated Telegram bans and channel takedowns in 2025, the group has repeatedly reemerged and expanded services

Why it matters

• The Telegram-centric automation mirrors a broader trend in politically motivated cybercrime: lowering barriers to launch ransomware while leveraging mainstream platforms for command-and-control
• Defenders should watch for Go-based payloads across Windows and Linux, Telegram-driven C2 workflows, anti-VM checks, shadow copy deletion, and Registry tampering. Maintain robust, offline backups and test recovery plans. If impacted by VolkLocker, consult trusted incident-response partners; some builds may be recoverable without payment due to the noted flaw

Source: The Hacker News