New ransomware operator trades the dark web for intimidating phone calls
The gang, dubbed Volcano Demon by investigators, uses unique LukaLocker encryption and direct intimidation tactics.
There is a new ransomware kid on the block with a very different set of techniques, tactics and procedures.
Ransomware researchers at cybersecurity company Halcyon detected the new threat actor, which they call Volcano Demon, after investigating several attacks in recent weeks.
Not only is Volcano Demon a technically proficient operation, but it also avoids some of the common traps and tactics of similar ransomware gangs. According to Halcyon, the ransomware gang does not have a leak site on the dark web and does not appear to promote its own activity at all.
Rather, in addition to sending the usual ransom note, the gang directly contacts the victims’ leadership team as well as their senior IT staff. The phone calls are unidentifiable and often threatening.
The ransom note strikes a similar tone.
“Their corporate network has been encrypt3d. And that’s not all: we study and download many of your data,” the note says. “Many of them have confidential status.
“If you ignore this incident, we will ensure that your sensitive data is widely available to the public. We will make sure your customers and partners know everything and the attacks will continue. “Some of the data will be sold to scammers who will attack your customers and employees.”
The note then explains how to establish contact, before setting out the “advantages” of dealing with the gang. Volcano Demon promises that it will never share data once the ransom is paid, nor will it ever mention it. It will provide a recovery tool and a “safety report” of the incident, while the gang said it will never attack the victim again.
The gang’s encryptor, called LukaLocker by Halcyon, is written and compiled in C++ and is an x64 PE binary. Encrypts selected files with a .nba file extension and avoids others, such as .exe, .sys, and .dll. LukaLocker has been observed encrypting both Windows workstations and servers, along with a version of Linux deployed.
In addition to encrypting files, data is also leaked to C2 servers to facilitate double extortion.
Volcano Demon gains initial access after collecting common administrative credentials from a network and is very careful about the evidence it leaves behind.
“The records were wiped prior to the exploitation and, in both cases, a full forensic evaluation was not possible due to their success in covering their tracks and the limited victim recording and monitoring solutions installed prior to the event,” the team said. of Halcyon research in a blog. mail.