TZUTC: -0500   
   MSGID: 1833.consprcy@1:2320/105 2da2b943   
   PID: Synchronet 3.21a-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0   
   TID: SBBSecho 3.28-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0   
   BBSID: CAPCITY2   
   CHRS: ASCII 1   
   FORMAT: flowed   
   Notorious Russian cybercriminals return with new ransomware   
      
   Date:   
   Fri, 12 Dec 2025 14:15:00 +0000   
      
   Description:   
   But encrypted files can easily be decrypted because someone forgot about a   
   hardcoded artifact.   
      
   FULL STORY   
      
   CyberVolk, a Russian hacktivist group thats been dormant for most of 2025 is   
   back, offering an updated version of its RaaS model to its affiliates.   
   However, there seems to be a gaping structural hole in the encryptor that   
   renders the entire model harmless.    
      
   CyberVolk is a relatively young, pro-Russian hacktivist collective that   
   emerged in 2024.The groups entire infrastructure is on Telegram, making it a   
   simple process for affiliates to lock files and demand ransom, even if they   
   aren't too tech-savvy.    
      
   When the platform targeted the group back in 2024, and shut down a few of its   
   channels, the group disappeared. Now, it is back, but it seems to be    
   operating on the same principle - everything is managed through Telegram, and   
   prospective customers and operational queries are directed to the main bot.    
      
   Most hacktivists are engaged in Distributed Denial of Service (DDoS) attacks,   
   cyber-espionage, and data theft.    
      
   CyberVolk, however, added ransomware into the mix, making it unclear if    
   theyre actually hacktivists, or just financially-motivated cybercriminals   
   hiding behind a pro-Russia stance. This was confirmed by cybersecurity   
   researchers Sentinel One, whose latest report digs deeper into the group and   
   its modus operandi.    
      
   The encryptor, VolkLocker, includes built-in Telegram automation for command   
   and control, while the C2 is customizable. Some CyberVolk operators have   
   published examples that include additional capabilities, such as keylogging   
   control, the researchers explained.    
      
   It also has functions that alert operators when a new infection happens,   
   similar to Telegram-enabled infostealers. When a host is infected, basic   
   system information and a screenshot are sent to the configured Telegram chat.    
      
   But, the encryption key for the tool is not generated dynamically. It is   
   hardcoded as a hex string within the binaries, allowing victims to recover    
   all encrypted data without paying any extraction fees. SentinelOne believes   
   the key was likely left in there by mistake, similarly to how legitimate   
   software developers sometimes forget passwords in their products - so its an   
   underwhelming comeback for the group.    
      
    Via The Register    
      
   ======================================================================   
   Link to news story:   
   https://www.techradar.com/pro/security/notorious-russian-cybercriminals-return   
   -with-new-ransomware   
      
   $$   
   --- SBBSecho 3.28-Linux   
    * Origin: Capitol City Online (1:2320/105)   
   SEEN-BY: 105/81 106/201 128/187 129/14 305 153/7715 154/110 218/700   
   SEEN-BY: 226/30 227/114 229/110 134 206 300 307 317 400 426 428 470   
   SEEN-BY: 229/664 700 705 266/512 291/111 320/219 322/757 342/200 396/45   
   SEEN-BY: 460/58 633/280 712/848 902/26 2320/0 105 304 3634/12 5075/35   
   PATH: 2320/105 229/426