The VolkLocker ransomware requires operators to configure several parameters when building a new payload. These parameters include a bitcoin address for payment, a Telegram bot token ID and chat ID for communication, an encryption deadline, a desired file extension for encrypted files, and various self-destruct options for the malware. This customization allows the RaaS model to be flexible for different affiliates using the platform.
Upon execution, the VolkLocker ransomware begins by attempting to escalate its privileges on the compromised system. Following this, it conducts reconnaissance and system enumeration, which includes checking the local system’s MAC address prefixes to detect the presence of common virtualization environments such as those from Oracle and VMware. Once the initial checks are complete, the malware proceeds to list all available drives and determines which specific files will be targeted for encryption based on the configuration embedded within its payload.
GET 50% Discount for VPN/ANTIVIRUS SOFTWARE AT 911Cyber - CODE: bit5025
VolkLocker employs the AES-256 encryption algorithm in Galois/Counter Mode (GCM) for the actual file encryption process, utilizing Golang’s standard “crypto/rand” package for cryptographic operations. Each file that is successfully encrypted by the ransomware is then appended with a custom extension, such as .locked or .cvolk, to visually indicate its encrypted state. This is a standard procedure for many ransomware variants.
Despite the use of strong encryption standards, an investigation into test samples of the VolkLocker ransomware revealed a crucial and easily exploitable flaw. The analysis showed that the master encryption keys are not only hard-coded directly into the ransomware binaries but are also consistently used to encrypt all files across the victim’s system. Critically, this master key is also saved in plaintext format to a file named “system_backup.key” located in the %TEMP% folder (”C:\Users\AppData\Local\Temp\system_backup.key”), making decryption trivial for victims who find this file.
Source: VolkLocker Ransomware Broken As Hard Coded Master Key Enables Free DecryptionNow
Saving the master key in plaintext to %TEMP% is genuinely wild. It's like putting the safe combination on a sticky note next to the safe. The fact that the RaaS model lets operators configure so many params but somehow missed this basic opsec failure shows how uneven ransomware dev quality really is. I've seen similar issues in samples where devs prioritize feature velocity over fundamentals, and itt always bites them. Victims get lucky this time tho.