- CyberVolk has reappeared with an updated ransomware-as-a-service model, but its encryptor is fundamentally broken
- VolkLocker's hard-coded encryption key allows victims to recover data for free, undermining the operation.
- The group operates entirely through Telegram and combines hacktivism with financially motivated ransomware distribution activities.
CyberVolk, a Russian hacktivist group that has been dormant for most of 2025, has returned, offering its affiliates an updated version of its RaaS model. However, there appears to be a gaping structural hole in the encoder that renders the entire model harmless.
CyberVolk is a relatively young pro-Russian hacktivist collective that emerged in 2024. The entire infrastructure of the group is located on Telegram, which simplifies the process of blocking files and demanding ransom for group members, even if they are not very tech-savvy.
When the platform targeted the group back in 2024 and shut down several of its channels, the group disappeared. Now it is back, but it seems to work on the same principle – all management is carried out through Telegram, and potential clients and operational requests are sent to the main bot.
Google employees against war
Most hacktivists engage in distributed denial of service (DDoS) attacks, cyber espionage, and data theft.
CyberVolk, however, added ransomware into the mix, making it unclear whether they are actually hacktivists or simply financially motivated cybercriminals hiding behind a pro-Russian stance. This was confirmed by cybersecurity researchers at Sentinel One, whose latest report describes the group and its modus operandi in more detail.
The VolkLocker encryptor includes built-in Telegram automation for command and control, and C2 is customizable. “Some CyberVolk operators have published examples that include additional capabilities such as keylogging control,” the researchers explained.
It also has features that alert operators to new infections, similar to Telegram-enabled data thefts. When a host is infected, basic system information and a screenshot are sent to the configured Telegram chat.
However, the encryption key for this tool is not dynamically generated. It is hard-coded as a hexadecimal string in binary files, allowing victims to recover all encrypted data without paying any retrieval fees. SentinelOne believes the key was most likely left there by mistake, similar to how legitimate software developers sometimes forget passwords in their products, so it's a disappointing return for the group.
By using Register
The best antivirus for any budget
Follow TechRadar on Google News. And add us as your preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the “Subscribe” button!
And of course you can also Follow TechRadar on TikTok for news, reviews, unboxing videos and get regular updates from us on whatsapp too much.
