- CyberVolk resurfaced with a revamped ransomware-as-a-service model, but its encryption is fundamentally broken
- VolkLocker’s hard-coded encryption key lets victims recover data for free, undermining the operation
- The group operates exclusively through Telegram and mixes hacktivism with financially motivated ransomware activity
CyberVolk, a Russian hacktivist group that has been dormant for most of 2025, is back and offering an updated version of its RaaS model to its affiliates. However, there appears to be a gaping structural hole in the encryption engine that renders the entire model harmless.
CyberVolk is a relatively young, pro-Russian hacktivist collective that emerged in 2024. The group’s entire infrastructure is on Telegram, making it a simple process for affiliates to lock files and demand ransom, even if they aren’t too tech-savvy.
When the platform targeted the group back in 2024, shutting down a few of its channels, the group disappeared. Now it’s back, but it seems to work on the same principle – everything is managed through Telegram, and potential customers and operational inquiries are sent to the main robot.
Google employees against warfare
Most hacktivists are engaged in Distributed Denial of Service (DDoS) attacks, cyber espionage and data theft.
However, CyberVolk added ransomware to the mix, making it unclear whether they are actually hacktivists or just financially motivated cybercriminals hiding behind a pro-Russia stance. This was confirmed by cyber security researchers Sentinel One, whose latest report digs deeper into the group and its modus operandi.
The encryptor, VolkLocker, includes built-in Telegram automation for command and control, while C2 is customizable. “Some CyberVolk operators have published samples that include additional features such as keylogging control,” the researchers explained.
It also has features that alert operators when a new infection occurs, similar to Telegram-enabled infostealers. When a host is infected, basic system information and a screenshot are sent to the configured Telegram chat.
But the encryption key for the tool is not dynamically generated. It is hardcoded as a hex string into binaries, allowing victims to recover all encrypted data without paying extraction fees. SentinelOne believes the key was likely left there by mistake, in the same way that legitimate software developers sometimes forget passwords in their products — so it’s an underwhelming comeback for the group.
Via The register
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
