CyberVolk’s ransomware debut stumbles on cryptography weakness

Key Points:

• CyberVolk, a pro-Russia hacktivist group, has launched a ransomware-as-a-service (RaaS) called VolkLocker, which contains significant cryptographic flaws allowing victims to decrypt files for free.
• The ransomware uses a hardcoded master key stored in plaintext on affected systems, impacting both Linux/VMware ESXi and Windows environments. This flaw undermines the effectiveness of the ransomware and could lead to financial losses for the group.
• Organizations should monitor for any signs of VolkLocker infections and consider implementing measures to detect and respond to ransomware threats. Additionally, they should educate users about potential recovery options if affected.

Technical Details: VolkLocker employs AES-256 encryption but uses the same master key across all files, which is also saved in plaintext as "system_backup.key" in the %TEMP% folder. This implementation flaw allows victims to recover their files without paying the ransom.

MITRE ATT&CK Techniques:

• T1486 - Data Encrypted for Impact (Impact)
• T1071.001 - Application Layer Protocol: Web Protocols (Command and Control)

IOCs Mentioned:

• system_backup.key (filename)
• .locked or .cvolk (file extensions)