- CyberVolk reemerged with a revamped ransomware-as-a-service model, but its encryption is fundamentally broken
- VolkLocker Scrambled Encryption Key Allows Victims to Recover Data for Free, Undermining Operation
- The Group operates entirely through Telegram and combines hacktivism with financially motivated ransomware activity.
CyberVolk, a Russian hacktivist group that has been dormant for most of 2025, is back and offering an updated version of its RaaS model to its affiliates. However, there appears to be a huge structural hole in the cipher that renders the entire model harmless.
CyberVolk is a relatively young pro-Russian hacktivist collective that emerged in 2024. The group’s entire infrastructure is on Telegram, making it a simple process for affiliates to lock files and demand a ransom, even if they are not too tech-savvy.
When the platform targeted the group back in 2024 and closed some of its channels, the group disappeared. Now it’s back, but it seems to work on the same principle: everything is managed via Telegram, and leads and operational queries are directed to the main bot.
Google employees against war
Most hacktivists are involved in distributed denial of service (DDoS) attacks, cyber espionage, and data theft.
CyberVolk, however, added ransomware to the mix, leaving it unclear whether they are actually hacktivists or simply financially motivated cybercriminals hiding behind a pro-Russia stance. This was confirmed by cybersecurity researcher Sentinel One, whose latest report delves into the group and its modus operandi.
The encryptor, VolkLocker, includes built-in Telegram automation for command and control, while the C2 is customizable. “Some CyberVolk operators have published examples that include additional capabilities, such as keylogging control,” the researchers explained.
It also has features that alert operators when a new infection occurs, similar to Telegram-enabled information stealers. When a host is infected, basic system information and a screenshot are sent to the configured Telegram chat.
However, the tool’s encryption key is not generated dynamically. It is encoded as a hexadecimal string within the binaries, allowing victims to recover all encrypted data without paying any extraction fees. SentinelOne believes the key was probably left there by mistake, similar to how legitimate software developers sometimes forget passwords on their products, so it’s a disappointing return for the group.
Through The Registry
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
