Share this article on:
The gang, dubbed Volcano Demon by researchers, uses a unique LukaLocker encryptor and direct intimidation tactics.
There’s a new ransomware kid on the block with a very different set of techniques, tactics, and procedures.
Ransomware researchers at cyber security firm Halcyon spotted the new threat actor – which they’re calling Volcano Demon – after investigating several attacks in the last couple of weeks.
Not only is Volcano Demon a technically proficient operation, but it also eschews some of the usual trappings and tactics of similar ransomware gangs. According to Halcyon, the ransomware gang does not have a dark web leak site and does not appear to promote its own activity at all.
Rather, alongside dropping the usual ransom note, the gang contacts the leadership team of the victims directly, as well as their senior IT people. The phone calls are unidentifiable and often threatening.
The ransom note features a similar tone.
“Your corporate network has been encrypt3d. And that’s not all – we studied and downloaded a lot of your data,” the note said. “Many of them have confidential status.
“If you ignore this incident, we will ensure that your confidential data is widely available to the public. We will make sure that your clients and partners know about everything, and attacks will continue. Some of the data will be sold to scammers who will attack your clients and employees.”
The note then goes on to explain how to make contact, before laying out the “advantages” of dealing with the gang. Volcano Demon promises that it will never share data once a ransom is paid, nor will it ever be mentioned. It’ll provide a recovery tool and a “security report” of the incident, while the gang said it will never attack the victim again.
The gang’s encryptor – called LukaLocker by Halcyon – is written and compiled in C++ and is an x64 PE binary. It encrypts select files with a .nba file extension while avoiding others, such as .exe, .sys, and .dll. LukaLocker has been observed encrypting both Windows workstations and servers, with a Linux version deployed alongside.
In addition to encrypting files, data is also exfiltrated to C2 servers to facilitate double extortion.
Volcano Demon gains initial access after harvesting common administrative credentials from a network and is very careful about what evidence it leaves behind.
“Logs were cleared prior to exploitation and, in both cases, a full forensic evaluation was not possible due to their success in covering their tracks and limited victim logging and monitoring solutions installed prior to the event,” the Halcyon research team said in a blog post.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.