TZUTC: -0500
MSGID: 1833.consprcy@1:2320/105 2da2b943
PID: Synchronet 3.21a-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0
TID: SBBSecho 3.28-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0
BBSID: CAPCITY2
CHRS: ASCII 1
FORMAT: flowed
Notorious Russian cybercriminals return with new ransomware

Date:
Fri, 12 Dec 2025 14:15:00 +0000

Description:
But encrypted files can easily be decrypted because someone forgot about a
hardcoded artifact.

FULL STORY

CyberVolk, a Russian hacktivist group thats been dormant for most of 2025 is
back, offering an updated version of its RaaS model to its affiliates.
However, there seems to be a gaping structural hole in the encryptor that
renders the entire model harmless. 

CyberVolk is a relatively young, pro-Russian hacktivist collective that
emerged in 2024.The groups entire infrastructure is on Telegram, making it a
simple process for affiliates to lock files and demand ransom, even if they
aren't too tech-savvy. 

When the platform targeted the group back in 2024, and shut down a few of its
channels, the group disappeared. Now, it is back, but it seems to be 
operating on the same principle - everything is managed through Telegram, and
prospective customers and operational queries are directed to the main bot. 

Most hacktivists are engaged in Distributed Denial of Service (DDoS) attacks,
cyber-espionage, and data theft. 

CyberVolk, however, added ransomware into the mix, making it unclear if 
theyre actually hacktivists, or just financially-motivated cybercriminals
hiding behind a pro-Russia stance. This was confirmed by cybersecurity
researchers Sentinel One, whose latest report digs deeper into the group and
its modus operandi. 

The encryptor, VolkLocker, includes built-in Telegram automation for command
and control, while the C2 is customizable. Some CyberVolk operators have
published examples that include additional capabilities, such as keylogging
control, the researchers explained. 

It also has functions that alert operators when a new infection happens,
similar to Telegram-enabled infostealers. When a host is infected, basic
system information and a screenshot are sent to the configured Telegram chat. 

But, the encryption key for the tool is not generated dynamically. It is
hardcoded as a hex string within the binaries, allowing victims to recover 
all encrypted data without paying any extraction fees. SentinelOne believes
the key was likely left in there by mistake, similarly to how legitimate
software developers sometimes forget passwords in their products - so its an
underwhelming comeback for the group. 

 Via The Register 

======================================================================
Link to news story:
https://www.techradar.com/pro/security/notorious-russian-cybercriminals-return
-with-new-ransomware

$$
--- SBBSecho 3.28-Linux
 * Origin: Capitol City Online (1:2320/105)
SEEN-BY: 105/81 106/201 128/187 129/14 305 153/7715 154/110 218/700
SEEN-BY: 226/30 227/114 229/110 134 206 300 307 317 400 426 428 470
SEEN-BY: 229/664 700 705 266/512 291/111 320/219 322/757 342/200 396/45
SEEN-BY: 460/58 633/280 712/848 902/26 2320/0 105 304 3634/12 5075/35
PATH: 2320/105 229/426