CyberVolk Returns | Flawed VolkLocker Brings New Features With Growing Pains

This report analyzes CyberVolk’s VolkLocker ransomware-as-a-service: Golang-built Windows and Linux payloads with Telegram-based automation and RaaS features. It documents AES-256-GCM encryption using a hardcoded master key (also written in plaintext to %TEMP%), UAC bypass via the ms-settings registry technique, VM/sandbox detection, registry modifications and Defender disabling, persistence copies, a dynamic HTML ransom note with an enforcement timer and destructive routines (shadow copy deletion, profile folder deletion, BSOD), and published IOCs (file hashes, bitcoin address, Telegram bot token). The plaintext master key backup is highlighted as a critical design flaw enabling victim recovery, while the operator ecosystem and Telegram C2 model indicate active, scalable criminal activity.