Full Report
CyberVolk, a pro-Russian hacktivist crew, is back after months of silence with a new ransomware service. There's some bad news and some good news here. First, the bad news: the CyberVolk 2.x (aka VolkLocker) ransomware-as-a-service operation that launched in late summer. It's run entirely through Telegram, which makes it very easy for affiliates that aren't that tech savvy to lock files and demand a ransom payment.
Analysis Summary
# Threat Actor: CyberVolk
## Attribution & Identity
* **Identification:** Pro-Russian hacktivist crew.
* **Known Aliases/Associated Groups:** Operates the ransomware-as-a-service (RaaS) platform known as **CyberVolk 2.x** or **VolkLocker**.
* **Attribution Note:** Does not appear to have direct ties to the Kremlin, unlike some other similar groups (e.g., CyberArmyofRussia\_Reborn, NoName057(16)). They were previously documented last year by security researchers.
## Activity Summary
* CyberVolk returned after months of silence since the summer with a new Ransomware-as-a-Service (RaaS) operation called **VolkLocker** (launched in late summer/August).
* They were previously banned multiple times from Telegram, causing them to be largely inactive for most of 2025 before their resurgence.
* The operation is aimed at lowering the barrier to entry for less tech-savvy affiliates to conduct ransomware attacks.
* They are also advertising standalone Remote Access Trojan (RAT) and keylogger tools in addition to the ransomware service.
## Tactics, Techniques & Procedures
* **Ransomware Implementation:** Uses the **VolkLocker** ransomware, written in Go, with versions for both Linux and Windows machines.
* **Command & Control (C2):** Entire operation, including C2, communication, purchasing, and support, is run exclusively through **Telegram**.
* **Automation:** Utilizes Telegram's built-in automation features for payload generation, coordinating attacks, and managing business operations.
* **Privilege Escalation:** Bypasses Windows User Account Control (UAC) to execute malware with administrative privileges.
* **Encryption:** Employs **AES-256 in GCM mode** for file encryption.
* **Key Management Flaw:** Hardcodes master encryption keys as hex strings within the executables and writes a plaintext file containing the complete master key in the `%TEMP%` folder, enabling potential victim recovery.
* **Exclusion Lists:** Determines which files to encrypt based on exclusion lists configured in the malware code.
* **MITRE ATT&CK IDs:** Not explicitly mentioned, but the operation integrates features mimicking RATs and keyloggers.
## Targeting
* **Sectors:** Not specifically detailed, but the shift toward ransomware suggests targeting for financial gain, while maintaining political motivations typical of hacktivist groups.
* **Geography:** Not specified based on the context provided.
* **Victims:** Specific victim organizations were not mentioned in the provided text.
## Tools & Infrastructure
* **Malware Families Used:** VolkLocker (Ransomware), standalone RAT, and Keylogger tools.
* **Infrastructure:** Runs entirely over the **Telegram** platform for C2, communication, and business administration, requiring affiliates to provide Bitcoin addresses, Telegram bot token IDs, and chat IDs for payload generation.
* **Pricing (November):**
* RaaS (Single OS): $800 – $1,100 USD
* RaaS (Linux + Windows): $1,600 – $2,200 USD
* Standalone RAT or Keylogger: $500 USD each
## Implications
* The adoption of Telegram automation reflects a broader trend among politically motivated threat actors to simplify and scale ransomware deployment by lowering technical barriers for affiliates.
* The inclusion of RAT/keylogger functionality indicates an expansion beyond pure disruptive/hacktivist activities toward more comprehensive data compromise or espionage capabilities.
* The group appears to be struggling with quality control during rapid expansion, evidenced by the critical oversight of hardcoding master encryption keys, which presents a remediation opportunity for victims.
## Mitigations
* Defenders should monitor for indicators related to the VolkLocker samples (written in Go, specific encryption parameters).
* Implement robust endpoint detection and response to detect privilege escalation techniques, specifically UAC bypasses.
* Network defenders should be aware that politically motivated groups are increasingly using sophisticated, platform-based automation (like Telegram) to streamline illicit operations.
* Victims of VolkLocker should check the `%TEMP%` directory for residual plaintext master encryption keys, which could allow for decryption without payment.