VolkLocker Ransomware Exposed by Hard‑Coded Master Key

December 15, 2025 Faeem BLOGS 0

The pro‑Russian hacktivist group CyberVolk (aka GLORIAMIST) has resurfaced with a new ransomware‑as‑a‑service (RaaS) offering called VolkLocker. Despite its aggressive design, researchers found a fatal flaw: the ransomware’s master key is hard‑coded and even saved in plaintext on victim systems, allowing free decryption without paying ransom.

Technical Overview

  • Emerged in August 2025, written in Golang, capable of targeting Windows and Linux.
  • Operators building new payloads must provide: Bitcoin address, Telegram bot token ID, chat ID, encryption deadline, file extension, and self‑destruct options.
  • Uses AES‑256 GCM encryption. Files are renamed with extensions like .locked or .cvolk.

Fatal Flaw

  • Master keys are hard‑coded in the binaries.
  • Keys reused across all encrypted files.
  • Also written to plaintext at:CodeC:\Users\AppData\Local\Temp\system_backup.key
  • Since this file is never deleted, victims can self‑recover without ransom payment.

Malicious Features

  • Registry modifications to block recovery.
  • Deletes volume shadow copies.
  • Terminates Microsoft Defender Antivirus processes.
  • Enforcement timer: wipes Documents, Desktop, Downloads, and Pictures if ransom unpaid within 48 hours or if wrong decryption key entered three times.

RaaS Pricing (Converted to Rands)

CyberVolk sells VolkLocker through Telegram automation:

  • Windows or Linux version: R13,480 – R18,535 (previously $800–$1,100).
  • Both OS versions: R26,960 – R37,070 (previously $1,600–$2,200).
  • Additional tools:
    • Remote access trojan (RAT): R8,425 (previously $500).
    • Keylogger: R8,425 (previously $500).

These payloads include built‑in Telegram automation for victim messaging, decryption initiation, victim listing, and system info retrieval.

Attribution & Context

  • CyberVolk launched its RaaS in June 2024.
  • Known for DDoS and ransomware attacks against public/government entities in support of Russian interests.
  • Believed to be of Indian origin, despite pro‑Russian alignment.
  • Despite repeated Telegram bans, the group continues to re‑establish operations.

Defender Takeaways

  • Victims of VolkLocker can potentially recover files for free using the plaintext master key.
  • Organizations should:
    • Monitor %TEMP% for suspicious .key files.
    • Detect Golang‑based binaries with AES‑256 GCM usage.
    • Watch for Telegram‑based C2 activity.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.