Notorious Russian cybercriminals return with new ransomware

But encrypted files can easily be decrypted

12 Dec 2025, 14:15 · TechRadar

News By Sead Fadilpašić published 12 December 2025

(Image credit: Shutterstock)

CyberVolk resurfaced with a revamped ransomware‑as‑a‑service model but its encryptor is fundamentally broken
VolkLocker’s hardcoded encryption key lets victims recover data for free, undermining the operation
The Group operates entirely via Telegram and blends hacktivism with financially motivated ransomware activity

CyberVolk, a Russian hacktivist group that’s been dormant for most of 2025 is back, offering an updated version of its RaaS model to its affiliates. However, there seems to be a gaping structural hole in the encryptor that renders the entire model harmless.

CyberVolk is a relatively young, pro-Russian hacktivist collective that emerged in 2024.The group’s entire infrastructure is on Telegram, making it a simple process for affiliates to lock files and demand ransom, even if they aren't too tech-savvy.

When the platform targeted the group back in 2024, and shut down a few of its channels, the group disappeared. Now, it is back, but it seems to be operating on the same principle - everything is managed through Telegram, and prospective customers and operational queries are directed to the main bot.

Catch the price drop- Get 30% OFF for Enterprise and Business plans

The Black Friday campaign offers 30% off for Enterprise and Business plans for a 1- or 2-year subscription. It’s valid until December 10th, 2025. Customers must enter the promo code BLACKB2B-30 at checkout to redeem the offer.

View Deal

Google employees against warfare

Most hacktivists are engaged in Distributed Denial of Service (DDoS) attacks, cyber-espionage, and data theft.

CyberVolk, however, added ransomware into the mix, making it unclear if they’re actually hacktivists, or just financially-motivated cybercriminals hiding behind a pro-Russia stance. This was confirmed by cybersecurity researchers Sentinel One, whose latest report digs deeper into the group and its modus operandi.

The encryptor, VolkLocker, includes built-in Telegram automation for command and control, while the C2 is customizable. “Some CyberVolk operators have published examples that include additional capabilities, such as keylogging control,” the researchers explained.

It also has functions that alert operators when a new infection happens, similar to Telegram-enabled infostealers. When a host is infected, basic system information and a screenshot are sent to the configured Telegram chat.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsors