Full Report
Operators accidentally left a way for you to get your data back. CyberVolk, a pro-Russian hacktivist crew, is back after months of silence with a new ransomware service. There's some bad news and some good news here.…
Analysis Summary
# Threat Actor: CyberVolk
## Attribution & Identity
**Identification:** Pro-Russian hacktivist crew.
**Known Aliases:** CyberVolk 2.x, VolkLocker (Ransomware variant/service).
**Known Associations:** Distinct from groups like CyberArmyofRussia\_Reborn and NoName057(16). Does not appear to have direct ties to the Kremlin, unlike some other similar groups.
## Activity Summary
CyberVolk has returned to operations after months of silence (where they experienced multiple bans from Telegram). They have launched a new Ransomware-as-a-Service (RaaS) operation centered around the **VolkLocker** malware. This resurgence began in August [implied year 2025] and is heavily integrated with Telegram for coordination and management. The group is currently struggling with quality control as they expand by recruiting less technically skilled affiliates.
## Tactics, Techniques & Procedures
- **RaaS Operation:** Utilizes Telegram's built-in automation for affiliates to generate payloads, coordinate attacks, and manage business operations.
- **Command and Control (C2):** All communication, purchasing, and support run through Telegram channels/bots. Default C2 supports functions like messaging victims, listing victims, and retrieving system info.
- **Privilege Escalation:** Escalates privileges post-deployment, bypassing Windows User Account Control (UAC) to execute with admin-level privileges.
- **Encryption:** Uses AES-256 in GCM mode for file encryption.
- **Exclusion Lists:** Determines files to encrypt based on configured exclusion paths and extensions in the malware code.
- **Testing Artifacts (Flaw):** **Crucially, the operators leak the master encryption key** by hardcoding it as a hex string in the executable and saving a plaintext file of the master key in the victim's `%TEMP%` folder.
- **MITRE ATT&CK IDs:** Not explicitly mentioned in the text, beyond describing techniques like privilege escalation (T1548.002 - Bypass User Account Control).
## Targeting
- **Sectors:** Not explicitly detailed, but operating as a broad RaaS suggests wide targeting.
- **Geography:** Not explicitly detailed. Focus appears to be politically motivated operations given their hacktivist label.
- **Victims:** No specific organizations were named in the provided text, but the operation is targeting environments running Windows and/or Linux machines (due to Go-based payloads supporting both OSes).
## Tools & Infrastructure
- **Malware Families Used:** VolkLocker (Ransomware payload written in Go). Actors also advertised standalone Keyloggers and Remote Access Trojans (RATs).
- **Infrastructure (C2, domains, IPs):**
- Primary infrastructure relies entirely on **Telegram**, using bot tokens and chat IDs for C2.
- **Defanged URLs:**
- `hxxps://www.sentinelone.com/blog/cybervolk-returns-flawed-volklocker-brings-new-features-with-growing-pains/`
- `hxxps://www.rapid7.com/blog/post/2024/10/03/ransomware-groups-demystified-cybervolk-ransomware/`
- `hxxps://www.sentinelone.com/labs/cybervolk-a-deep-dive-into-the-hacktivists-tools-and-ransomware-fueling-pro-russian-cyber-attacks/`
- `hxxps://dev.to/js402/go-aes-gcm-a-security-deep-dive-3ec8`
## Implications
CyberVolk is lowering the barrier to entry for ransomware deployment by heavily automating operations via Telegram, making it accessible to less skilled affiliates. While they have adopted sophisticated automation trends, their current quality control issues (leaking master keys) present a significant, immediate recovery opportunity for victims deploying the flawed build. Their adoption of Telegram infrastructure reflects a growing trend among politically motivated actors for convenient, semi-anonymous service management.
## Mitigations
- **Immediate Recovery Potential:** Victims experiencing VolkLocker encryption should immediately check the `%TEMP%` folder for plaintext master encryption keys to potentially recover data without paying the ransom.
- **Threat Monitoring:** Network defenders should monitor for activity associated with Telegram integration, as this indicates adaptation by politically motivated threat actors.
- **UAC Monitoring:** Ensure strict monitoring and blocking of privilege escalation attempts, especially those attempting to bypass or execute malware with System/Admin rights post-initial compromise.