CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

CyberVolk's VolkLocker ransomware flaw allows free decryption

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

CyberVolk, a pro-Russia hacktivist group, launched VolkLocker ransomware-as-a-service (RaaS) with a critical cryptographic flaw. The ransomware uses a hardcoded master key stored in plaintext, enabling victims to decrypt files without paying the ransom. VolkLocker targets both Linux/VMware ESXi and Windows systems and includes a timer function that wipes user folders if the ransom is not paid. The group also offers a remote access trojan and a keylogger for sale. The flaw in VolkLocker's cryptography was discovered by SentinelOne researchers, who noted that the master key is written to a plaintext file in the %TEMP% folder, allowing victims to recover their files. This weakness undermines the ransomware's effectiveness and highlights the group's inexperience in cybercrime operations. VolkLocker is written in Golang and attempts to escalate privileges and perform reconnaissance and system enumeration. It makes Windows Registry modifications to thwart recovery and analysis, deletes volume shadow copies, and terminates processes associated with Microsoft Defender Antivirus and other common analysis tools. The ransomware uses an enforcement timer that wipes the content of user folders if victims fail to pay within 48 hours or enter the wrong decryption key three times. VolkLocker payloads come with built-in Telegram automation for command-and-control, allowing users to message victims, initiate file decryption, list active victims, and get system information.

Timeline

  1. 13.12.2025 17:11 2 articles · 2d ago

    CyberVolk launches VolkLocker ransomware with critical cryptographic flaw

    CyberVolk, a pro-Russia hacktivist group, launched VolkLocker ransomware-as-a-service (RaaS) in August 2025. The ransomware targets both Linux/VMware ESXi and Windows systems and includes a timer function that wipes user folders if the ransom is not paid. A critical flaw in the ransomware's cryptography allows victims to decrypt files for free by extracting the master key from a plaintext file. The group also offers a remote access trojan and a keylogger for sale. VolkLocker is written in Golang and attempts to escalate privileges and perform reconnaissance and system enumeration. It makes Windows Registry modifications to thwart recovery and analysis, deletes volume shadow copies, and terminates processes associated with Microsoft Defender Antivirus and other common analysis tools. The ransomware uses an enforcement timer that wipes the content of user folders if victims fail to pay within 48 hours or enter the wrong decryption key three times. VolkLocker payloads come with built-in Telegram automation for command-and-control, allowing users to message victims, initiate file decryption, list active victims, and get system information.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

DeadLock Ransomware Campaign Uses BYOVD to Evade Security Tools

A financially motivated threat actor has been observed deploying DeadLock ransomware using a Bring Your Own Vulnerable Driver (BYOVD) technique to disable endpoint detection tools and achieve full system compromise. The attack involved privilege-escalation scripts, registry modifications, remote access tools (RATs), and a custom encryption routine. The ransomware targeted various applications and services while avoiding critical system files to maintain system functionality for ransom negotiations. Victims were instructed to pay ransom in Bitcoin or Monero via Session Messenger.

Open in new tab

Velociraptor DFIR Tool Abused in LockBit and Babuk Ransomware Campaigns

Threat actors, assessed to be China-based Storm-2603, have started using the Velociraptor digital forensics and incident response (DFIR) tool in ransomware attacks deploying LockBit and Babuk ransomware. The attackers exploited a privilege escalation vulnerability in an outdated version of Velociraptor to gain persistent access and control over virtual machines. The campaign involved creating local admin accounts, disabling security features, and using fileless PowerShell encryptors for data exfiltration and encryption. The ransomware deployed on Windows systems was identified as LockBit, while a Linux binary detected as Babuk ransomware was found on VMware ESXi systems. Storm-2603 initially exploited SharePoint vulnerabilities in July 2025 and deployed Warlock, LockBit, and Babuk ransomware on VMware ESXi servers in August 2025. Sophos CTU researchers first documented Velociraptor abuse by Storm-2603 on August 5, 2025. Storm-2603 used the ToolShell exploit to gain initial access and deployed an outdated version of Velociraptor (version 0.73.4.0) that is susceptible to a privilege escalation vulnerability (CVE-2025-6264) to enable arbitrary command execution and endpoint takeover. The group also used Smbexec to remotely launch programs using the SMB protocol and modified Active Directory (AD) Group Policy Objects (GPOs) to disable real-time protection. Storm-2603 established the infrastructure for the AK47 C2 framework in March 2025 and created the first prototype of the tool the next month. The group pivoted from LockBit-only deployment to dual LockBit/Warlock deployment in April 2025 and used the ToolShell exploit as a zero-day in July 2025. Storm-2603 demonstrated operational flexibility and sophisticated builder expertise using leaked and open-source ransomware frameworks.

Open in new tab

Rhadamanthys Stealer Adds Device Fingerprinting, PNG Steganography Payloads

Rhadamanthys Stealer, a popular information stealer, has been updated to include device and web browser fingerprinting capabilities. The malware now uses PNG steganography to conceal its payloads. The threat actor behind Rhadamanthys has also advertised two additional tools, Elysium Proxy Bot and Crypt Service, on their website. The stealer's current version is 0.9.2, and it is available under a malware-as-a-service (MaaS) model with tiered pricing packages. The threat actor has rebranded themselves as "RHAD security" and "Mythical Origin Labs," indicating a long-term business venture. The stealer's capabilities have evolved significantly, posing a comprehensive threat to personal and corporate security. The latest updates include enhanced obfuscation techniques, environment checks, and a Lua runner for additional plugins. The Rhadamanthys infostealer operation has been disrupted, with numerous customers reporting that they no longer have access to their servers. Cybercriminals claim that law enforcement gained access to their web panels, requiring certificate-based logins instead of root passwords. The disruption is suspected to be related to Operation Endgame, an ongoing law enforcement action targeting malware-as-a-service operations.

Open in new tab

Emergence of AI-Powered Ransomware Strain PromptLock

A new AI-powered ransomware strain, named PromptLock, has been identified by ESET researchers. The ransomware leverages an AI model to generate Lua scripts on the fly, complicating detection and defense. PromptLock is not yet active in the wild but is nearly ready for deployment. It can exfiltrate files and encrypt data, with plans to add file destruction capabilities. The ransomware was uploaded to VirusTotal from the United States and is written in Go, targeting both Windows, Linux, and macOS systems. The Bitcoin address used for ransom payments is linked to Satoshi Nakamoto. The development of AI-driven ransomware presents new challenges for cybersecurity defenders. The ransomware strain was discovered by Anton Cherepanov and Peter Strycek, who shared their findings on social media 18 hours after detecting samples on VirusTotal. The use of AI in ransomware introduces variability in indicators of compromise (IoCs), making detection more difficult. PromptLock uses the SPECK 128-bit encryption algorithm to lock files and can generate custom notes based on the files affected and the type of infected machine. The attacker can establish a proxy or tunnel from the compromised network to a server running the Ollama API with the gpt-oss-20b model.

Open in new tab

Scarcruft (APT37) Ransomware Campaign Targets South Korea

North Korean threat actors have rapidly weaponized the **React2Shell (CVE-2025-55182)** vulnerability to deploy **EtherRAT**, a sophisticated Linux malware implant that leverages **Ethereum smart contracts for resilient C2 communication**. Discovered in December 2025, EtherRAT employs a **consensus-based voting mechanism** across nine public Ethereum RPC endpoints to resist sinkholing, alongside **five redundant persistence methods** (systemd, XDG autostart, cron jobs, bashrc/profile injection) and a **self-updating capability** that fetches obfuscated replacement code to evade static detection. The malware’s encrypted loader pattern closely mirrors **BeaverTail**, reinforcing its ties to the **Contagious Interview campaign**, which has now expanded to exploit **VS Code’s auto-run tasks.json** via malicious GitHub repositories. This campaign continues a broader pattern of North Korean APT groups—including **Scarcruft (APT37)**, **Konni**, and **BlueNoroff (Lazarus subgroup)**—targeting South Korea and global cryptocurrency sectors with multi-stage attacks. Earlier efforts combined **spear-phishing (Operation HanKook Phantom)**, **social engineering via KakaoTalk**, and **destructive operations** like remote Android device wipes via Google’s Find Hub. The integration of **React2Shell exploitation** into EtherRAT underscores the group’s agility in weaponizing zero-day flaws, while its overlap with **EtherHiding** and **fake recruitment campaigns (GhostCall/GhostHire)** highlights a strategic focus on **credential theft, cryptocurrency heists, and persistent access** to high-value targets.

Open in new tab