A new ransomware strain known as VolkLocker has been discovered with a major encryption flaw that allows victims to recover their files without paying a ransom, according to research by SentinelOne.
VolkLocker is operated by the pro-Russian hacktivist group CyberVolk (also known as GLORIAMIST) and emerged in August 2025. The ransomware targets both Windows and Linux systems and is written in Golang.
The malware requires operators to configure details such as a Bitcoin wallet address, Telegram bot credentials, an encryption deadline, and a custom file extension before deployment. Once executed, VolkLocker attempts privilege escalation, performs system reconnaissance, checks for virtualized environments, and encrypts files using AES-256-GCM, appending extensions like .locked or .cvolk.
Security researchers identified a critical design error in test samples where the ransomware’s master encryption key is hard-coded into the binary and reused for all encrypted files. The key is also saved in plaintext to a local file at:
C:\Users\AppData\Local\Temp\system_backup.key
Because this file is not deleted, victims can decrypt their data without interacting with the attackers.
Despite the flaw, VolkLocker carries out typical ransomware behaviors, including deleting volume shadow copies, modifying the Windows Registry, and disabling security-related processes. It also features an enforcement mechanism that wipes user folders such as Documents, Desktop, Downloads, and Pictures if payment is not made within 48 hours or if the wrong decryption key is entered multiple times.
CyberVolk operates its ransomware-as-a-service platform through Telegram, charging between $800 and $1,100 for single-platform builds and up to $2,200 for Windows and Linux variants. The group has also advertised additional malware tools, including a remote access trojan and a keylogger.
CyberVolk launched its RaaS operation in June 2024 and has been linked to cyberattacks targeting public and government entities. Despite repeated platform takedowns, the group continues to re-establish its infrastructure and expand its services.
Stay alert, and keep your security measures updated!
Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
