Russian Hackers Debut Simple Ransomware Service, But Store Keys In Plain Text (theregister.com)
(Friday December 12, 2025 @10:30PM (BeauHD)
from the good-news-and-bad-news dept.)
- Reference: 0180372405
- News link: https://it.slashdot.org/story/25/12/12/2140258/russian-hackers-debut-simple-ransomware-service-but-store-keys-in-plain-text
- Source link: https://www.theregister.com/2025/12/11/cybervolk_ransomware_is_back/
The pro-Russian CyberVolk group resurfaced with a Telegram-based ransomware-as-a-service platform, but fatally undermined its own operation [1]by hardcoding master encryption keys in plaintext . The Register reports:
> First, the bad news: the CyberVolk 2.x (aka VolkLocker) ransomware-as-a-service operation that launched in late summer. It's run entirely through Telegram, which makes it very easy for affiliates that aren't that tech savvy to lock files and demand a ransom payment. CyberVolk's soldiers can use the platform's built-in automation to generate payloads, coordinate ransomware attacks, and manage their illicit business operations, conducting everything through Telegram.
>
> But here's the good news: the ransomware slingers got sloppy when it came time to debug their code and hardcoded the master keys -- this same key encrypts all files on a victim's system -- into the executable files. This could allow victims to recover encrypted data without paying the extortion fee, according to SentinelOne senior threat researcher Jim Walter, who [2]detailed the gang's resurgence and flawed code in a Thursday report.
[1] https://www.theregister.com/2025/12/11/cybervolk_ransomware_is_back/
[2] https://www.sentinelone.com/blog/cybervolk-returns-flawed-volklocker-brings-new-features-with-growing-pains/?
> First, the bad news: the CyberVolk 2.x (aka VolkLocker) ransomware-as-a-service operation that launched in late summer. It's run entirely through Telegram, which makes it very easy for affiliates that aren't that tech savvy to lock files and demand a ransom payment. CyberVolk's soldiers can use the platform's built-in automation to generate payloads, coordinate ransomware attacks, and manage their illicit business operations, conducting everything through Telegram.
>
> But here's the good news: the ransomware slingers got sloppy when it came time to debug their code and hardcoded the master keys -- this same key encrypts all files on a victim's system -- into the executable files. This could allow victims to recover encrypted data without paying the extortion fee, according to SentinelOne senior threat researcher Jim Walter, who [2]detailed the gang's resurgence and flawed code in a Thursday report.
[1] https://www.theregister.com/2025/12/11/cybervolk_ransomware_is_back/
[2] https://www.sentinelone.com/blog/cybervolk-returns-flawed-volklocker-brings-new-features-with-growing-pains/?
the worst part is.. (Score:1)
by codevark ( 1070362 )
..some chump (who counted himself one of the gang), just has his throat cut.
They have a decryption key... (Score:3)
Which is more integrity than I expected from a ransomware scammer. I assumed they all just replaced the files with noise and PROMISED to decrypt in exchange for payment.