A new ransomware-as-a-service (RaaS) operation, VolkLocker, run by the pro-Russian hacktivist group CyberVolk, has entered the cybercrime market — but serious cryptographic mistakes in its code may allow many victims to decrypt their data without paying. Analysis by SentinelOne shows that the malware’s encryption scheme relies on a static master key that is both embedded in the binary and written to disk in plain text.
Who Is CyberVolk and How Their RaaS Operation Works
According to threat intelligence reports, CyberVolk presents itself as a pro-Russian hacktivist collective, allegedly operating from India and not clearly tied to established cybercrime cartels. Historically known for DDoS attacks, the group has moved up the value chain by launching its own ransomware family and RaaS platform, marketed under the names VolkLocker and CyberVolk 2.x.
The VolkLocker ransomware is written in Go and supports both Windows and Linux environments, including VMware ESXi, which is frequently targeted in enterprise ransomware incidents. The pricing model follows typical RaaS economics: around $800–$1,100 for a build targeting a single operating system and approximately $1,600–$2,200 for cross‑platform (Windows + Linux) payloads. Additional tools such as remote access utilities and keyloggers are sold for about $500 per instance.
Telegram-Based Ransomware Builder and Attack Workflow
CyberVolk’s affiliates do not write malware themselves. Instead, they interact with a Telegram bot “builder” that generates customized VolkLocker binaries. To create a ransomware payload, operators provide:
- a Bitcoin address for ransom payments;
- a Telegram bot token and chat ID for victim communication;
- a ransom payment deadline (timer for data destruction);
- a custom file extension for encrypted data;
- self‑destruction and cleanup parameters for the malware.
Once executed on a victim system, VolkLocker attempts to bypass Windows User Account Control (UAC) to gain elevated privileges. It then enumerates files, skipping predefined exclusions, and encrypts data using AES‑256 in Galois/Counter Mode (GCM). AES‑256‑GCM is widely regarded as secure when implemented correctly, and is commonly used in TLS and disk encryption.
Built-In Wiper Logic and Risk of Irreversible Data Loss
A distinctive and dangerous feature of VolkLocker is its wiper capability. The ransomware tracks the configured ransom deadline and also validates keys entered by the victim in the HTML ransom note interface. If the timer expires or an invalid decryption key is submitted, VolkLocker attempts to delete core user directories, including Documents, Downloads, Pictures, and Desktop.
This behavior increases psychological pressure on victims but also significantly raises the risk of irrecoverable data loss, even if backups or decryption options exist. Similar destructive logic has been observed in past ransomware families and pseudo‑ransomware campaigns, where wiping was used as political sabotage rather than purely financial extortion.
Critical Cryptographic Flaw: Hard-Coded Master Key and Plain-Text Storage
Despite its aggressive design, VolkLocker’s weakest point is its encryption implementation. SentinelOne researchers identified that the ransomware does not generate unique cryptographic keys per victim or per file. Instead, it uses a single hard-coded master key for all encrypted data on a compromised system.
This master key is embedded in the binary as a hex-encoded string and, critically, is also written to disk as a plain-text file in the %TEMP% directory under the name system_backup.key. Possession of this file enables recovery of the AES key material required to decrypt all affected files without paying the ransom.
Researchers also found a function named backupMasterKey() in the codebase, likely a leftover debug artifact that developers failed to remove from production builds. From a cryptographic and secure coding perspective, this represents a fundamental design error: secure ransomware operations typically use randomly generated per‑victim keys, often protected with asymmetric cryptography.
Quality Issues and Implications for CyberVolk’s RaaS Business
These flaws highlight serious quality assurance and secure development shortcomings in CyberVolk’s tooling. While the group actively recruits new, and often inexperienced, affiliates, it ships a product that can be neutralized once defenders understand its weaknesses. For RaaS operators, such defects quickly erode reputation and revenue when decryption tools become public, as seen in earlier campaigns disrupted by initiatives like No More Ransom.
Responsible Disclosure of Ransomware Weaknesses
The cybersecurity community has long debated how and when to disclose technical vulnerabilities in active ransomware campaigns. Often, detailed decryption methods are shared initially with law enforcement, CERTs, and trusted negotiation firms to avoid tipping off criminals before victims can benefit.
In the VolkLocker case, SentinelOne assessed that public disclosure of the flawed key management would not significantly hinder law‑enforcement efforts but could help a large pool of victims recover files at no cost. This illustrates a broader reality: many emerging RaaS offerings are technically immature, and their mistakes can be turned into effective defensive tools when quickly analyzed and shared.
For organizations and individuals, the VolkLocker incident reinforces several key practices: maintain reliable, offline or immutable backups; enforce least‑privilege access; keep operating systems and applications fully patched; and deploy multi-layered defenses (EPP/EDR, email filtering, application control). When ransomware is suspected, victims should avoid rushing to pay and instead engage cybersecurity experts, check for available free decryption tools, and preserve evidence for investigation. As VolkLocker demonstrates, attackers’ implementation errors can provide a crucial opportunity to fully restore data without funding further criminal activity.
