The recent unveiling of CyberVolk's ransomware offering, known as VolkLocker, has hit a significant snag due to critical errors in its cryptographic design. According to experts from SentinelOne, these flaws could allow victims of the attack to decrypt their files at no cost, severely undermining the ransomware's intended impact.
"Since the ransomware never deletes this backup key file, victims could attempt file recovery by extracting the necessary values from the file," explained a representative from SentinelOne, highlighting a major loophole in CyberVolk's cryptography.
"Since the ransomware never deletes this backup key file, victims could attempt file recovery by extracting the necessary values from the file,"
CyberVolk, an India-based pro-Russian hacktivist group, first appeared last year, launching various disruptive attacks including distributed denial of service (DDoS) and ransomware attacks against entities seen as opposing Russia or aligning with Ukraine. Following a brief disruption of its operations on platforms like Telegram, the group re-emerged in August 2025, introducing its ransomware-as-a-service (RaaS) program, VolkLocker. This service specifically targets both Windows and Linux platforms, including VMware ESXi.
A noteworthy aspect of VolkLocker is its implementation of a Golang timer function within the code. Once activated, this timer triggers the deletion of user folder contents like Documents and Downloads if an incorrect key is inputted in the ransom note, thus intensifying the threat to victims.
"The plaintext key backup likely represents a test artifact inadvertently shipped in production builds," added the SentinelOne spokesperson, shedding light on the lack of operational integrity regarding CyberVolk's software.
"The plaintext key backup likely represents a test artifact inadvertently shipped in production builds,"
VolkLocker utilizes AES-256 encryption operating in Galois/Counter Mode (GCM), requiring a 32-bit master key derived from a designated hex string embedded within the binary. However, the critical error lies in the repeated use of the same master key for all files on an infected system. In addition, this key is logged in plaintext on the victim's machine, specifically in the %TEMP% directory, as a file named system_backup.key.
Beyond the issues with encryption, VolkLocker is marketed at prices ranging from $800 to $1,100 for a single operating system architecture, while bundles for both systems range from $1,600 to $2,200. Buyers can access a builder bot via Telegram for customization of the encryptor, allowing them to generate tailored payloads. In November 2025, the group further expanded its offerings, introducing a remote access trojan and keylogger, each priced at $500.
Looking Ahead
Looking Ahead
Looking Ahead
Despite the potential relief to victims from the outlined cryptographic weaknesses, it's important to consider that public disclosures such as these may spur CyberVolk or similar groups to rectify their mistakes and bolster their ransomware implementations against future vulnerabilities. As the spokesperson noted, "this isn’t a core encryption flaw but rather a testing artifact that’s inadvertently getting shipped to some production builds by incompetent operators."
Timely reporting on such cybersecurity threats remains a critical aspect of the ongoing battle against cybercrime. While the exposure of vulnerabilities can provide an immediate avenue for victim recovery, it may also push threat actors to adapt quickly, thereby continuously evolving the landscape of ransomware operations. Thus, the cybersecurity community must balance the need for transparency with the urgent necessity to combat cybercriminal tactics more effectively.