- CyberVolk resurfaced with a revamped ransomware‑as‑a‑service model but its encryptor is fundamentally broken
- VolkLocker’s hardcoded encryption key lets victims recover data for free, undermining the operation
- The Group operates entirely via Telegram and blends hacktivism with financially motivated ransomware activity
CyberVolk, a Russian hacktivist group that’s been dormant for most of 2025 is back, offering an updated version of its RaaS model to its affiliates. However, there seems to be a gaping structural hole in the encryptor that renders the entire model harmless.
CyberVolk is a relatively young, pro-Russian hacktivist collective that emerged in 2024.The group’s entire infrastructure is on Telegram, making it a simple process for affiliates to lock files and demand ransom, even if they aren’t too tech-savvy.
When the platform targeted the group back in 2024, and shut down a few of its channels, the group disappeared. Now, it is back, but it seems to be operating on the same principle – everything is managed through Telegram, and prospective customers and operational queries are directed to the main bot.
Catch the price drop- Get 30% OFF for Enterprise and Business plans
The Black Friday campaign offers 30% off for Enterprise and Business plans for a 1- or 2-year subscription. It’s valid until December 10th, 2025. Customers must enter the promo code BLACKB2B-30 at checkout to redeem the offer.View Deal
Google employees against warfare
Most hacktivists are engaged in Distributed Denial of Service (DDoS) attacks, cyber-espionage, and data theft.
CyberVolk, however, added ransomware into the mix, making it unclear if they’re actually hacktivists, or just financially-motivated cybercriminals hiding behind a pro-Russia stance. This was confirmed by cybersecurity researchers Sentinel One, whose latest report digs deeper into the group and its modus operandi.
The encryptor, VolkLocker, includes built-in Telegram automation for command and control, while the C2 is customizable. “Some CyberVolk operators have published examples that include additional capabilities, such as keylogging control,” the researchers explained.
It also has functions that alert operators when a new infection happens, similar to Telegram-enabled infostealers. When a host is infected, basic system information and a screenshot are sent to the configured Telegram chat.
But, the encryption key for the tool is not generated dynamically. It is hardcoded as a hex string within the binaries, allowing victims to recover all encrypted data without paying any extraction fees. SentinelOne believes the key was likely left in there by mistake, similarly to how legitimate software developers sometimes forget passwords in their products – so its an underwhelming comeback for the group.
Via The Register
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
