""Operators building new VolkLocker payloads must provide a bitcoin address, Telegram bot token ID, Telegram chat ID, encryption deadline, desired file extension, and self-destruct options," security researcher Jim Walter said in a report published last week. Once launched, the ransomware attempts to escalate privileges, performs reconnaissance and system enumeration, including checking local MAC address prefixes against known virtualization vendors like Oracle and VMware. In the next stage, it lists all available drives and determines the files to be encrypted based on the embedded configuration."
"VolkLocker uses AES-256 in Galois/Counter Mode ( GCM) for encryption through Golang's "crypto/rand" package. Every encrypted file is assigned a custom extension such as .locked or .cvolk. However, an analysis of the test samples has uncovered a fatal flaw where the locker's master keys are not only hard-coded in the binaries, but are also used to encrypt all files on a victim system. More importantly, the master key is also written to a plaintext file in the %TEMP% folder ("C:\Users\AppData\Local\Temp\system_backup.key")."
VolkLocker emerged in August 2025 as a Golang-based ransomware-as-a-service capable of targeting Windows and Linux systems. Operators configure payloads with bitcoin addresses, Telegram bot tokens and chat IDs, encryption deadlines, file extensions and self-destruct options. The ransomware escalates privileges, performs reconnaissance and system enumeration, checks MAC prefixes for virtualization, lists drives and selects files per embedded configuration. VolkLocker uses AES-256-GCM via Golang's crypto/rand and appends extensions like .locked or .cvolk. Test samples reveal hard-coded master keys and a plaintext backup key written to %TEMP%\system_backup.key that is not deleted, enabling decryption. The strain also modifies the registry, deletes shadow copies and terminates antivirus and analysis processes.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]