The Rise of VolkLocker Ransomware: A Closer Look at CyberVolk
A new ransomware-as-a-service (RaaS) offering called VolkLocker has recently emerged, attributed to the pro-Russian hacktivist group known as CyberVolk, also referred to as GLORIAMIST. This ransomware variant has garnered attention due to implementation flaws that allow users to decrypt files without paying the demanded ransom.
According to security experts at SentinelOne, VolkLocker, also known as CyberVolk 2.x, made its debut in August 2025 and is capable of targeting both Windows and Linux systems, being coded in Golang.
Security researcher Jim Walter highlighted that operators creating VolkLocker payloads must specify various parameters such as a bitcoin address, Telegram bot token ID, Telegram chat ID, encryption deadline, desired file extension, and self-destruct options.
Upon execution, VolkLocker ransomware undertakes privilege escalation, reconnaissance, system enumeration, and file encryption using AES-256 in Galois/Counter Mode (GCM) through Golang’s “crypto/rand” package. Each encrypted file is tagged with a custom extension like .locked or .cvolk.
An analysis of test samples revealed a critical flaw where the ransomware’s master keys are hardcoded in the binaries and also used to encrypt all files on the victim’s system. The master key is additionally saved in a plaintext file in the %TEMP% folder.
Despite this flaw, VolkLocker exhibits typical ransomware behavior by modifying the Windows Registry, deleting volume shadow copies, and terminating processes associated with security tools. It also features an enforcement timer that wipes user folders if the ransom is not paid within 48 hours or an incorrect decryption key is entered thrice.
CyberVolk manages its RaaS operations via Telegram, offering Windows or Linux versions of VolkLocker for $800 to $1,100 each or a bundle for both operating systems priced at $1,600 to $2,200. The ransomware payloads include built-in Telegram automation for command-and-control functionalities.
As of November 2025, CyberVolk has expanded its offerings to include a remote access trojan and keylogger, priced at $500 each, indicating a diversification in their monetization tactics.
Originally launching its RaaS in June 2024, CyberVolk, known for its activities supporting Russian government interests through DDoS and ransomware attacks, is suspected to have origins in India.
Despite facing bans and removals on Telegram, CyberVolk has persisted and broadened its services, leveraging Telegram-based automation for ransomware operations. This trend reflects a broader pattern among politically-motivated threat actors simplifying ransomware deployment on accessible platforms.
