Russian hackers debut simple ransomware service, but store keys in plain text

CyberVolk, a pro-Russian hacktivist crew, is back after months of silence with a new ransomware service. There's some bad news and some good news here. First, the bad news: the CyberVolk 2.x (aka VolkLocker) ransomware-as-a-service operation that launched in late summer. It's run entirely through Telegram, which makes it very easy for affiliates that aren't that tech savvy to lock files and demand a ransom payment. CyberVolk's soldiers can use the platform's built-in automation to generate payloads, coordinate ransomware attacks, and manage their illicit business operations, conducting everything through Telegram. But here's the good news: the ransomware slingers got sloppy when it came time to debug their code and hardcoded the master keys - this same key encrypts all files on a victim's system - into the executable files. This could allow victims to recover encrypted data without paying the extortion fee, according to SentinelOne senior threat researcher Jim Walter, who detailed the gang's resurgence and flawed code in a Thursday report. The infosec shop and other security researchers first documented the pro-Russia hacktivist collective last year. Unlike similar politically minded crews such as CyberArmyofRussia_Reborn and NoName057(16), which the US government has linked to Russia's GRU military intelligence agency and to Vladimir Putin himself, CyberVolk doesn't seem to have direct ties to the Kremlin. Also unlike these other hacktivist gangs, which primarily rely on nuisance-level distributed denial of service (DDoS) attacks to assault their victims, CyberVolk also uses ransomware. According to Walter, the gang slunk back into the shadowy digital underground for most of 2025 after Telegram banned it multiple times. However, CyberVolk returned in August with a new ransomware-as-a-service operation. Meet VolkLocker "Our analysis reveals an operation struggling with the challenges of expansion: taking one step forward with sophisticated Telegram automation, and one step backward with payloads that retain test artifacts enabling victim self-recovery," Walter wrote. The VolkLocker payloads are written in Go, with versions of the malware that run on both Linux and Windows machines, and they all include built-in Telegram automation for command and control (C2). Operators building new VolkLocker payloads are required to provide a bitcoin address, Telegram bot token ID, Telegram chat ID, encryption deadline, desired file extension, and self-destruct options. In fact, all of CyberVolk communication, purchasing, and support occur through Telegram. The default Telegram C2 supports commands that message infected victims, initiate file decryption, list active victims, message specific victims, and retrieve victim system information, among others. The Telegram C2 is customizable, however, and we're told some ransomware operators have developed additional capabilities including keylogging and remote access trojan (RAT) commands. In November, the ransomware operators began advertising standalone RAT and keylogger tools and advertised these pricing models: RaaS (single OS): $800-$1,100 USD RaaS (Linux + Windows): $1,600-$2,200 USD Standalone RAT or Keylogger: $500 USD each Once the ransomware has been deployed on victims' systems, it escalates privileges, bypassing Windows User Account Control (UAC) to execute malware with admin-level privileges. It determines which files to encrypt based on exclusion lists for specific paths and extensions that have been configured in the malware's code, and the ransomware uses AES-256 in GCM mode (Galois/Counter Mode) for file encryption. US extradites Ukrainian woman accused of hacking meat processing plant for Russia Hacktivism resurges – but don't be fooled, it's often state-backed goons in masks Ransomware isn't always about the money: Government spies have objectives, too 193 cybercrims arrested, accused of plotting 'violence-as-a-service' But, here's where the malware developers screwed up: VolkLocker doesn't dynamically generate encryption keys, but rather hardcodes them as hex strings, and writes a plaintext file with the complete master encryption key in the %TEMP% folder. The plaintext master key "likely represents a test artifact inadvertently shipped in production builds," Walter wrote. "CyberVolk operators may be unaware that affiliates are deploying builds with the backupMasterKey() function still embedded." This "suggests that the operation is struggling to maintain quality control while aggressively recruiting lesser-skilled affiliates," he added. The Register has asked SentinelOne about the size of the new RaaS operation, including how many organizations it has infected since its resurgence, and will update this story when we hear back from the security firm. Despite the master key oversight, Walter says network defenders should view "CyberVolk's adoption of Telegram-based automation as a reflection of broader trends among politically motivated threat actors. These groups continue to lower barriers for ransomware deployment while operating on platforms that provide convenient infrastructure for criminal services." ®