CyberVolk, a pro-Russian hacktivist group, has launched a new ransomware-as-a-service called VolkLocker. This malware, which emerged in August 2025, targets both Windows and Linux systems and is written in Golang. A significant vulnerability has been found in its implementation, allowing victims to decrypt their files without paying the ransom. The flaw stems from hard-coded master keys in the software binaries, which are also saved in plaintext under the %TEMP% directory, enabling easy self-recovery. VolkLocker employs AES-256 encryption in Galois/Counter Mode and assigns custom extensions to encrypted files. It includes features typical of ransomware, such as modifying the Windows Registry to obstruct recovery and deleting volume shadow copies. A notable tactic is an enforcement timer that deletes user files from key folders if victims do not pay within 48 hours or incorrectly enter the decryption key three times. CyberVolk's RaaS operations run through Telegram, with prices ranging from $800 to $2,200 depending on the operating system. The group has broadened its offerings beyond ransomware, advertising a remote access trojan and a keylogger for $500 each. Despite facing repeated bans on Telegram, CyberVolk has managed to maintain and expand its operations, indicating a persistent threat in the cyber landscape. Security researchers are highlighting the use of Telegram for automation as a trend among politically motivated hacker groups, making ransomware deployment more accessible and streamlined for criminals.