NewApp Digest
search bot

ransomware-as-a-service

VolkLocker Emerges as a Cross-Platform Ransomware Threat Targeting Linux and Windows
Winsage
December 15, 2025

VolkLocker Emerges as a Cross-Platform Ransomware Threat Targeting Linux and Windows

A pro-Russian hacktivist group, CyberVolk, has re-emerged in 2025 with a new ransomware-as-a-service (RaaS) operation called VolkLocker, which targets both Windows and Linux systems using Golang. The group utilizes Telegram bots for command-and-control operations, allowing affiliates to manage ransomware interactions. Despite its advancements, coding errors in the ransomware enable victims to recover encrypted files without paying a ransom. VolkLocker employs AES-256 encryption but has a critical flaw where the master encryption key is hard-coded and saved in plaintext, allowing easy decryption. The ransomware also ensures persistence by replicating itself and disabling essential system tools. CyberVolk offers additional RAT and keylogger add-ons for sale, with complete RaaS packages priced between [openai_gpt model="gpt-4o-mini" prompt="Summarize the content and extract only the fact described in the text bellow. The summary shall NOT include a title, introduction and conclusion. Text: A newly rebooted pro-Russian hacktivist group, CyberVolk, has made a notable comeback in 2025, unveiling a new ransomware-as-a-service (RaaS) operation dubbed VolkLocker, as detailed in recent research by SentinelOne. After a prolonged period of dormancy following extensive bans on Telegram, this group has re-emerged with a Golang-based ransomware solution that targets both Windows and Linux systems. This latest initiative signifies CyberVolk's commitment to revitalizing its operations, showcasing what analysts refer to as the “CyberVolk 2.x” generation of tools. Despite the group's advancements, their integration of sophisticated Telegram-based automation has inadvertently led to coding errors that allow victims to recover their encrypted files without the need to pay a ransom. Telegram-Fueled Automation and Functionality VolkLocker is heavily reliant on Telegram bots for its command-and-control operations, which form the core of its new RaaS model. All interactions between operators and the ransomware's ecosystem, from onboarding new customers to managing victims, are facilitated through a Telegram bot known as CyberVolk_Kbot. This bot provides various commands such as /decrypt, /list, and /status, enabling affiliates to monitor infections and communicate with compromised systems in real time. Operators tasked with creating new ransomware payloads must input several configuration details, including a Bitcoin address, Telegram bot token ID, chat ID, encryption deadline, and file extension. Decryption triggered via backed-up key file This design approach aligns with CyberVolk’s goal of simplifying deployment for affiliates with limited technical skills. The Golang-based payloads, compiled for both Linux and Windows platforms, utilize the “ms-settings” UAC bypass technique (MITRE ATT&CK T1548.002) for privilege escalation. Once operational, VolkLocker performs system reconnaissance, checks for virtual machine environments by matching MAC address prefixes, and strategically excludes key system paths from encryption. Encryption Flaws and System Destruction Features VolkLocker employs AES-256 in Galois/Counter Mode (GCM) for file encryption; however, its encryption design reveals a significant oversight. The master encryption key is hard-coded within the binary and is also saved in a plaintext file named system_backup.key located in the %TEMP% directory. This easily accessible key allows victims to decrypt their files without paying the ransom, highlighting a critical flaw in CyberVolk’s development process. In addition to its encryption capabilities, VolkLocker ensures persistence by replicating itself across multiple directories and disabling essential tools such as Task Manager, Windows Defender, and Command Prompt through registry modifications. It also deletes Volume Shadow Copies and can trigger a Blue Screen of Death (BSOD) using the Windows NtRaiseHardError() function when the countdown timer expires or when incorrect decryption keys are repeatedly entered. Despite these coding missteps, CyberVolk is expanding its offerings, providing RAT and keylogger add-ons for 0 each, along with complete RaaS packages ranging from 0 to ,200. SentinelOne researchers caution that this resurgence underscores how politically motivated groups are increasingly leveraging Telegram infrastructure to commercialize their ransomware operations. Indicators of Compromise: Windows Sample: dcd859e5b14657b733dfb0c22272b82623466321 Linux Sample: 0948e75c94046f0893844e3b891556ea48188608 Bitcoin Wallet: bc1qujgdzl0v82gh9pvmg3ftgnknl336ku26nnp0vy Telegram Bot: 8368663132:AAHBfe3xYPtg1IMynKhQy1BRzuF5UZRZspw Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates" max_tokens="3500" temperature="0.3" top_p="1.0" best_of="1" presence_penalty="0.1" frequency_penalty="frequency_penalty"] and ,200. Indicators of compromise include specific Windows and Linux sample hashes, a Bitcoin wallet address, and a Telegram bot ID.
DragonForce Cartel Emerges Following Conti v3 Ransomware Source Code Leak
Tech Optimizer
November 6, 2025

DragonForce Cartel Emerges Following Conti v3 Ransomware Source Code Leak

Acronis Threat Research Unit (TRU) analyzed the DragonForce ransomware cartel, which emerged in 2023 as a Ransomware-as-a-Service (RaaS) operation and transitioned to a cartel model. DragonForce utilizes leaked Conti v3 code and has similarities with LockBit Green in encryption and backend configurations. By early 2025, it rebranded as the “DragonForce Ransomware Cartel,” offering affiliates 80 percent profit shares and infrastructure support. The cartel has over 200 victims from various sectors since late 2023 and is known for its attack on Marks & Spencer, collaborating with Scattered Spider. DragonForce employs bring-your-own-vulnerable-driver (BYOVD) techniques to evade endpoint protection and has improved its encryption methods. The group has spawned offshoots like Devman and Mamona, which utilize its enhanced encryptor.
Ransomware Gangs Exploit Remote Access Tools to Stay Hidden and Maintain Control
Tech Optimizer
October 6, 2025

Ransomware Gangs Exploit Remote Access Tools to Stay Hidden and Maintain Control

Modern ransomware operations have evolved into complex, multi-stage campaigns that utilize legitimate Remote Access Tools (RATs) to maintain stealth and persistently dismantle organizational defenses. Ransomware encrypts critical data and demands ransom for restoration, with current operations being highly targeted compared to earlier mass phishing attacks. Attackers exploit trusted administrative software like AnyDesk, UltraViewer, RustDesk, and Splashtop to establish backdoors, escalate privileges, and deploy payloads across networks, moving laterally and evading detection. The ransomware kill chain consists of several stages: 1. Initial Access: Attackers gain access through credential compromise, often targeting administrator accounts. 2. Remote Tool Abuse: Attackers deploy RATs either by hijacking existing tools or performing silent installations. 3. Persistence & Privilege Consolidation: They maintain persistence using registry keys and scheduled tasks while escalating privileges. 4. Antivirus Neutralization & Anti-Forensics: Attackers stop antivirus services, manipulate policies, and clear logs to evade detection. 5. Payload Deployment & Execution: Ransomware is delivered and executed within remote sessions to avoid suspicion. Commonly abused RATs include AnyDesk, UltraViewer, AppAnywhere, RustDesk, Splashtop, and TightVNC, which have been associated with various ransomware campaigns. Understanding the tactics and techniques used by adversaries is crucial for effective defense, as they exploit legitimate tools to bypass security measures. Emerging trends include AI-driven RAT deployment, cloud-based RAT abuse, and the integration of RATs in ransomware-as-a-service offerings. A comprehensive defense strategy involves multiple layers of security, including virus protection, behavior-based detection, and application control, to counter the risks posed by RAT abuse in ransomware attacks.
silver Android smartphone
Tech Optimizer
September 20, 2025

Top 10 Best Ransomware Protection Solutions in 2025

Ransomware is an increasing threat to organizations, with cybercriminals using advanced techniques like double extortion, supply chain attacks, and AI to bypass defenses. The impact of ransomware includes downtime, data loss, reputational damage, and regulatory fines, making robust protection essential for business continuity. Organizations need a comprehensive strategy that includes prevention, detection, response, and recovery. Key trends in ransomware include: - Ransomware-as-a-Service (RaaS) lowering barriers for attackers. - Double and triple extortion tactics where data is stolen and threatened to be leaked. - Use of AI and machine learning by attackers for phishing and vulnerability identification. - Supply chain attacks targeting vendors to access multiple organizations. - Attackers targeting backups to hinder recovery efforts. The text also provides a comparison of ten ransomware protection solutions in 2025, detailing their features, strengths, and weaknesses. Notable solutions include: 1. CrowdStrike: Strong endpoint protection with real-time visibility and behavioral AI. 2. Zerto: Focuses on rapid recovery with continuous data protection. 3. Acronis: Combines backup and cybersecurity in one solution. 4. Kaspersky: Proven detection and neutralization capabilities. 5. SentinelOne: Autonomous AI for real-time threat response. 6. Bitdefender: Multi-layered protection with low system impact. 7. Norton: User-friendly suite for small businesses and individuals. 8. Arcserve: Unified data protection with immutable backups. 9. Nasuni: Cloud-native global file system with integrated ransomware recovery. 10. Emsisoft: Specialized anti-ransomware tool with strong detection capabilities. Each solution is tailored to different organizational needs, from comprehensive enterprise solutions to specialized tools for smaller businesses.
ClickFix fake error message malware spikes over 500%, takes second place as the most abused attack vector
Tech Optimizer
June 27, 2025

ClickFix fake error message malware spikes over 500%, takes second place as the most abused attack vector

The ClickFix attack vector has increased by 517% since the latter half of 2024, becoming the second most exploited method for cyberattacks, following phishing. Hackers are using ClickFix to deploy various infostealing malware, including Lumma Stealer, VidarStealer, StealC, and Danabot. The ClickFix mechanism involves a counterfeit reCAPTCHA that misleads users into executing harmful Powershell commands. This method is primarily spread through phishing emails directing users to fraudulent websites. ESET’s Threat Report indicates that SnakeStealer has surpassed Agent Tesla as the most frequently detected infostealer, targeting businesses in the US and EU for credential theft. The ransomware landscape has been disrupted by internal conflicts among groups, with DragonForce launching defacement campaigns against other ransomware entities. On mobile devices, Kaleidoscope infections have caused a 160% increase in Android adware detections, and the SparkKitty malware has been found in both the Apple App Store and Google Play Store. Kaleidoscope generates revenue through intrusive ads while infecting devices with a malicious app from third-party stores.
Play ransomware exploited Windows logging flaw in zero-day attacks
Winsage
May 7, 2025

Play ransomware exploited Windows logging flaw in zero-day attacks

The Play ransomware gang exploited a critical vulnerability in the Windows Common Log File System, identified as CVE-2025-29824, to execute zero-day attacks, gaining SYSTEM privileges and deploying malware. Microsoft recognized this flaw and issued a patch during last month's Patch Tuesday. The gang targeted sectors including IT and real estate in the U.S., the financial sector in Venezuela, a Spanish software company, and retail in Saudi Arabia. They used the PipeMagic backdoor malware to deploy the CVE-2025-29824 exploit and install ransomware payloads. Symantec's Threat Hunter Team linked these activities to the Play ransomware-as-a-service operation, noting the use of the Grixba infostealer tool. The Play ransomware group, active since at least June 2022, employs double-extortion tactics and has compromised approximately 300 organizations globally as of October 2023. Notable victims include Rackspace, Arnold Clark, the City of Oakland, Dallas County, Antwerp, and Microchip Technology.
Ransomware crews add EDR killers to their arsenal
Tech Optimizer
March 31, 2025

Ransomware crews add EDR killers to their arsenal

Antivirus and endpoint security tools are increasingly challenged by ransomware groups that use sophisticated strategies to disable defenses early in attacks. Cisco Talos reported that in nearly half of the ransomware incidents they handled in 2024, attackers successfully employed "EDR killers" to neutralize endpoint detection and response (EDR) systems, achieving success 48 percent of the time. Tools such as EDRSilencer, EDRSandblast, EDRKillShifter, and Terminator pose significant threats to organizational security. EDRKillShifter exploits vulnerable drivers on Windows machines to terminate EDR products, a tactic observed in operations by rival gangs like Medusa, BianLian, and Play. The primary goal of these tools is to disable EDR protections, allowing attackers to operate undetected, complicating system recovery efforts. Recovery often requires wiping and rebuilding entire networks if robust backups are available. Some EDR killers, like HRSword, are legitimate software tools misused by ransomware actors to disable endpoint protection systems. Attackers have exploited misconfigured systems, particularly EDR products set to audit-only mode, which detect but do not block malicious activity. LockBit has remained the most active ransomware-as-a-service group for the third consecutive year, accounting for 16 percent of claimed attacks in 2024. Newcomer RansomHub secured the second position with 11 percent of posts to leak sites. The effectiveness of law enforcement actions plays a significant role in shaping the ransomware landscape.
Top 10 Best Ransomware Protection Tools
Tech Optimizer
February 23, 2025

Top 10 Best Ransomware Protection Tools

Ransomware is a type of malicious software that encrypts files, making them inaccessible until a ransom is paid, usually in cryptocurrency. Ransom demands can range from a few hundred to several thousand dollars, causing significant disruptions and financial losses. Key examples of ransomware include WannaCry, Petya, CryptoLocker, Ryuk, REvil, and Snake. To protect against ransomware, it is crucial to keep software updated, use anti-virus solutions, be cautious with unknown attachments or links, and regularly back up important data. Effective protection tools include backup solutions, anti-virus software, firewalls, and ransomware-specific solutions. Free protection options include Windows Defender, Malwarebytes Anti-Ransomware, Bitdefender Anti-Ransomware, Avast Anti-Ransomware, and Kaspersky Anti-Ransomware Tool for Business. Ransomware can be categorized into locker ransomware, screen ransomware, and encrypting ransomware.
Week in review: PostgreSQL 0-day exploited in US Treasury hack, top OSINT books to learn from
Tech Optimizer
February 23, 2025

Week in review: PostgreSQL 0-day exploited in US Treasury hack, top OSINT books to learn from

Researchers from Rapid7 disclosed that the breach of US Treasury workstations by suspected Chinese state-sponsored hackers was facilitated by two zero-day vulnerabilities, including a PostgreSQL flaw (CVE-2025-1094). Exploitation attempts targeting Palo Alto Networks firewalls have surged, focusing on CVE-2025-0108, an authentication bypass vulnerability. Apiiro security researchers introduced PRevent, an open-source tool to detect malicious code in pull requests, and Kunai, an open-source threat hunting tool for Linux, was also introduced. Chester Wisniewski from Sophos discussed the shifting ransomware landscape and quantum decryption threats, while Juliette Hudson from CybaVerse emphasized the importance of asset visibility in cybersecurity. The resurgence of BlackLock ransomware is anticipated in 2025, and XCSSET info-stealing malware has been observed targeting macOS users. Cybersecurity professionals are advised to consider the increasing use of artificial intelligence by malicious actors when making investment decisions for 2025. Various cybersecurity roles are currently available globally, reflecting the growing demand for expertise. New information security products were introduced by companies including 1Password, Fortinet, Pangea, Privacera, and Veeam Software.
Security End-Run: 'AuKill' Shuts Down Windows-Reliant EDR Processes
Winsage
July 17, 2024

Security End-Run: ‘AuKill’ Shuts Down Windows-Reliant EDR Processes

FIN7 developed AuKill, an anti-security tool designed to undermine endpoint security, which has been used by ransomware groups in their attacks. AuKill targets protected processes monitored by EDR solutions using time-travel debugging and Process Explorer drivers, causing crashes in targeted systems. Organizations are advised to strengthen their security solutions with anti-tampering protections to defend against kernel-mode attacks.
Search