VolkLocker

VolkLocker is a Golang-based cross-platform ransomware and ransomware-as-a-service (RaaS) offering operated by the pro-Russia hacktivist group CyberVolk, also referred to in reporting as CyberVolk 2.x. CyberVolk was first documented in late 2024 and resurfaced in August 2025 after Telegram enforcement disruptions, rebuilding operations around VolkLocker. The malware targets both Windows and Linux systems, including VMware ESXi in some reporting, and has been described as aligned with Russian government interests. CyberVolk uses Telegram as the core operational platform for payload generation, affiliate management, command-and-control, victim messaging, support, and decryption workflows, lowering the barrier for less-skilled affiliates. Operators building payloads are reported to supply a Bitcoin address, Telegram bot token, Telegram chat ID, encryption deadline, desired file extension, and self-destruct options. Reported pricing for the RaaS ranges from $800-$1,100 for a single OS build and $1,600-$2,200 for Linux and Windows support, with standalone RAT and keylogger tools later advertised for $500 each.

Functionally, VolkLocker performs privilege escalation on Windows, including use of the registry-based "ms-settings" UAC bypass, and conducts environmental checks and system reconnaissance before encryption. Reported behavior includes process enumeration, drive enumeration, VM and sandbox detection using checks for VMware, VirtualBox, QEMU, MAC addresses, and registry artifacts, as well as use of exclusion lists for paths and extensions. It has also been reported to modify registry keys, delete Volume Shadow Copies, disable or interfere with Microsoft Defender, terminate analysis-related processes, and in some reporting create multiple copies of itself for persistence. Encrypted files may receive extensions such as .locked or .cvolk. VolkLocker uses AES-256-GCM for file encryption.

A widely reported implementation flaw significantly weakens the malware: the master encryption key is hardcoded in the binary, reused for all files on a victim system, and written in plaintext to the Windows %TEMP% directory as system_backup.key by a backupMasterKey() routine that does not delete the file. Multiple reports state this can allow victims in some cases to recover files without paying. Researchers assessed the plaintext key handling as likely a test artifact inadvertently left in production builds, reflecting poor quality control as CyberVolk expanded and recruited affiliates. Additional reported capabilities include Telegram-based victim management commands, customizable C2 features, and in some cases added RAT and keylogging functionality. SentinelOne reporting also notes the presence of a dynamic HTML ransom note with a countdown and a separate enforcement timer; some reporting states destructive actions can be triggered if payment deadlines expire or incorrect decryption keys are entered repeatedly, including deletion of user folders, shadow copies, and system disruption. SentinelOne has published indicators of compromise for Windows and Linux deployments.