Imagine a ransomware group so careless that they left the keys to their own kingdom lying around for anyone to find. That's exactly what happened with VolkLocker, a new ransomware-as-a-service (RaaS) offering from the pro-Russian hacktivist group CyberVolk (aka GLORIAMIST). This group, believed to be of Indian origin, has been making waves with their politically motivated cyberattacks, but their latest creation has a critical flaw that allows victims to decrypt their files for free. But here's where it gets controversial: despite this glaring mistake, VolkLocker still packs a punch with its aggressive tactics and expanding monetization strategy. And this is the part most people miss: it’s not just about the ransomware—it’s about the broader trend of politically motivated threat actors lowering the barrier to entry for cybercrime.
Discovered in August 2025 by SentinelOne, VolkLocker (also known as CyberVolk 2.x) targets both Windows and Linux systems, written in the versatile programming language Golang. To deploy it, operators must provide a bitcoin address, Telegram bot token ID, Telegram chat ID, encryption deadline, desired file extension, and self-destruct options, as explained by security researcher Jim Walter. Once activated, the ransomware escalates privileges, conducts system reconnaissance—even checking for virtualization environments like Oracle and VMware—and then encrypts files using AES-256 in Galois/Counter Mode (GCM). Each encrypted file is marked with a custom extension like .locked or .cvolk.
But here’s the kicker: the master keys used for encryption are hard-coded into the ransomware’s binaries and, astonishingly, saved in a plaintext file in the system’s temporary folder (C:\Users\AppData\Local\Temp\system_backup.key). This design blunder allows victims to recover their files without paying the ransom. However, VolkLocker doesn’t skimp on the typical ransomware playbook—it modifies the Windows Registry, deletes volume shadow copies, and disables security tools like Microsoft Defender Antivirus.
What sets VolkLocker apart is its enforcement timer. If victims fail to pay within 48 hours or enter the wrong decryption key three times, it wipes the contents of critical folders like Documents, Desktop, Downloads, and Pictures. CyberVolk manages its RaaS operations via Telegram, charging between $800 and $1,100 for a single OS version or $1,600 to $2,200 for both Windows and Linux. The payloads include built-in Telegram automation for command-and-control, enabling attackers to communicate with victims, initiate decryption, and gather system information.
As of November 2025, CyberVolk has expanded its offerings to include a remote access trojan and keylogger, each priced at $500, signaling a diversification of their revenue streams. The group first launched its RaaS in June 2024 and is notorious for DDoS and ransomware attacks against public and government entities in support of Russian interests. Despite facing repeated Telegram account bans and channel removals in 2025, CyberVolk has persistently reestablished its operations.
Jim Walter highlights a critical insight: CyberVolk’s use of Telegram-based automation reflects a broader trend among politically motivated threat actors. These groups are making ransomware deployment more accessible while leveraging platforms that provide convenient infrastructure for criminal services. But here’s the question: does this trend signal a new era of state-aligned cybercrime, or is it just another example of hackers cutting corners? Let us know what you think in the comments below.
Found this deep dive intriguing? Stay ahead of the curve by following us on Google News, Twitter, and LinkedIn for more exclusive cybersecurity insights.
