SOC Prime Bias: High

12 Dec 2025 14:56 UTC

CyberVolk Reemerges: VolkLocker’s New Features and Flaws

Author Photo
Ruslan Mikhalov Chief of Threat Research at SOC Prime linkedin icon Follow
CyberVolk Reemerges: VolkLocker’s New Features and Flaws
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query

Summary

The article covers the resurgence of the pro-Russia hacktivist collective CyberVolk and its new ransomware family dubbed VolkLocker. This Golang-based ransomware targets both Windows and Linux systems and relies on Telegram for command and control. It uses a hard-coded AES-256-GCM master key, which is also written in plaintext to the %TEMP% directory, effectively creating an unintended decryption shortcut. VolkLocker further tampers with registry settings, turns off security controls, and attempts destructive actions against the system once a built-in timer expires.

Investigation

Researchers examined the VolkLocker sample and observed that it is distributed without code obfuscation, instead recommending the use of UPX for packing. The ransomware carries out environment checks, enumerates available drives, encrypts data using a static master key, and stores that key in a hidden backup file. Persistence is maintained by replicating the executable into multiple paths and applying registry changes. Telegram bot tokens and a Bitcoin address are mandatory configuration elements for successful operation.

Mitigation

Defenders should watch for the documented registry changes, the creation of the plaintext key backup file, and multiple copies of the same executable appearing in startup locations. Blocking outbound traffic to Telegram-related domains and flagging UPX-packed binaries can help limit risk. Maintaining regular offline or immutable backups and preventing automatic deletion of volume shadow copies are also advised.

Response

After detection, immediately isolate the compromised endpoint, retrieve the plaintext key backup file from %TEMP%, and leverage the known master key for file decryption. Eradicate all instances of the VolkLocker executable, restore altered registry values, and restart any disabled security solutions. Perform a forensic review of Telegram-based C2 traffic and continue monitoring for subsequent misuse of the exposed bot token.

Attack Flow

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.

  • Attack Narrative & Commands:

    1. Objective: Obtain SYSTEM privileges on a standard user workstation while evading security tooling.
    2. Step 1 – UAC Bypass: The attacker launches ms-settings.exe with a command line that forces the process to call NtRaiseHardError, a known undocumented API that can trigger a UAC elevation prompt that can be auto‑accepted in certain mis‑configurations.
    3. Step 2 – Disrupt Defenses: Immediately after the elevation, the same command line invokes taskkill.exe to terminate known analysis tools (procmon.exeprocesshacker.exe, etc.) that might be monitoring privileged processes.
    4. Resulting Telemetry: A single process‑creation event where Image = ms-settings.exe and CommandLine contains both taskkill.exe and NtRaiseHardError, satisfying the Sigma rule’s selection.
    # Combined malicious command – crafted to appear as ms-settings.exe arguments
    $maliciousCmd = '"C:\Windows\System32\ms-settings.exe" "taskkill.exe /F /IM procmon.exe" "NtRaiseHardError"'
    Start-Process -FilePath "$env:SystemRoot\system32\ms-settings.exe" -ArgumentList $maliciousCmd
  • Regression Test Script: The following PowerShell script reproduces the exact attack and can be reused for automated regression testing.

    <#
    .SYNOPSIS
        Simulates the CyberVolk ms‑settings UAC bypass + analysis‑tool termination technique.
    .DESCRIPTION
        Launches ms-settings.exe with a crafted argument list that includes taskkill.exe and NtRaiseHardError.
        Generates the specific process‑creation telemetry required to fire the Sigma detection rule.
    .NOTES
        Run with a normal user account. Ensure that the target environment has process‑creation logging enabled.
    #>
    
    # Parameters (adjust if needed)
    $msSettings = "$env:SystemRoot\system32\ms-settings.exe"
    $analysisTools = @("procmon.exe","processhacker.exe","ida64.exe")
    $killCmd = "taskkill.exe /F /IM " + ($analysisTools -join " /IM ")
    $hardError = "NtRaiseHardError"
    
    # Build the malicious argument string
    $argList = @($killCmd, $hardError) -join " "
    
    Write-Host "Launching ms-settings.exe with malicious arguments..."
    Start-Process -FilePath $msSettings -ArgumentList $argList
    
    Write-Host "Command executed:"
    Write-Host "`"$msSettings`" $argList"
  • Cleanup Commands: After verification, terminate any lingering ms-settings.exe processes and restore normal system state.

    # Stop any ms-settings processes that may still be running
    Get-Process -Name "ms-settings" -ErrorAction SilentlyContinue | Stop-Process -Force
    
    # Optional: Verify no analysis tools were unintentionally killed
    foreach ($tool in @("procmon","processhacker","ida64")) {
        if (Get-Process -Name $tool -ErrorAction SilentlyContinue) {
            Write-Host "$tool is still running."
        } else {
            Write-Host "$tool was terminated (expected for the test)."
        }
    }