A pro-Russia hacktivist group known as CyberVolk has launched a new ransomware-as-a-service (RaaS) operation called VolkLocker, which however, comes with serious implementation flaws that may allow victims to recover their data without paying a ransom.
According to researchers at SentinelOne, VolkLocker’s encryptor relies on a hardcoded master key embedded directly in the malware binary and the same key is written in plaintext to a hidden file on infected systems.
CyberVolk, reportedly an India-based collective that emerged last year, has targeted public and government entities seen as opposing Russia or supporting Ukraine. Following its disruption on Telegram, the group resurfaced in August 2025 with VolkLocker (also referred to as CyberVolk 2.x), a RaaS platform targeting Windows as well as Linux and VMware ESXi systems. Access to the service is advertised at $800 to $1,100 for a single operating system, or up to $2,200 for cross-platform support.
VolkLocker uses AES-256 encryption in Galois/Counter Mode and appends “.locked” or “.cvolk” extensions to encrypted files.
However, SentinelOne found that the ransomware uses the same master key for all files on a system and stores it in a plaintext file named system_backup.key in the temporary directory.
“Storing master encryption keys in plaintext is a significant design blunder that undermines the ransomware’s effectiveness, allowing victims to recover files without acceding to the threat actor’s ransom demand,” the researchers noted.