Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label LukaLocker ransomware. Show all posts

Ransomware Group Uses Harassment Tactics to Secure Payments


 

A newly identified ransomware group named Volcano Demon is using aggressive tactics to compel victims to pay ransoms. Halycon, an anti-ransomware firm, recently reported that this group has targeted several organisations in the past weeks with a new encryption tool called LukaLocker.

Attack Strategy

Volcano Demon’s attack method is both simple and effective. Initially, the hackers infiltrate the target’s network, mapping it out and stealing as many sensitive files as they can. Following this, they deploy LukaLocker to encrypt files and entire systems. The victims are then instructed to pay a ransom in cryptocurrency to receive the decryption key and prevent the stolen data from being leaked.

Technical Details of LukaLocker

LukaLocker works by adding a .nba extension to encrypted files and is capable of operating on both Windows and Linux systems. The encryptor is proficient at hiding its tracks by erasing logs before exploitation, making it difficult for cybersecurity experts to perform a full forensic analysis. Furthermore, LukaLocker can disable processes linked to most major antivirus and anti-malware solutions, making recovery efforts even more challenging.

Unlike typical ransomware groups that maintain dedicated data leak sites, Volcano Demon employs a more direct and intimidating approach. They contact the leadership of the victimised companies via phone calls from unidentified numbers to negotiate ransom payments. These calls are often threatening in nature, adding psychological pressure to the already stressful situation of a ransomware attack.

Impact on Businesses

The harassment tactic used by Volcano Demon increases the urgency and stress for affected businesses. The inability to conduct thorough forensic investigations due to LukaLocker’s log-clearing capabilities leaves victims vulnerable and with limited recovery options.

Businesses must enhance their cybersecurity measures to reduce the risk of such attacks. Implementing comprehensive logging and monitoring solutions, maintaining regular backups, and educating employees about common infiltration methods like phishing are critical steps. Additionally, organisations should ensure their antivirus and anti-malware solutions are robust and regularly updated to counteract disabling mechanisms like those employed by LukaLocker.

Volcano Demon’s innovative approach to ransomware, characterised by harassing phone calls and sophisticated encryption methods, underscores the developing nature of cyber threats. As cybercriminals develop new strategies to exploit vulnerabilities, it is essential for businesses to remain vigilant and proactive in their cybersecurity efforts to protect sensitive data and ensure operational continuity.




This New Ransomware Group Uses Phone Calls to Pressure Victims

 



Researchers have identified a new ransomware group called Volcano Demon, responsible for at least two successful attacks in the past two weeks. Tim West, an analyst at cybersecurity firm Halcyon, revealed that the group targeted companies in the manufacturing and logistics industries. However, further details about the targets were not disclosed.

Unlike typical ransomware groups, Volcano Demon does not have a public leaks website. Instead, they use phone calls to intimidate and negotiate payments with leadership at the victim organizations. These calls, often threatening, originate from unidentified numbers.

Before making the calls, the hackers encrypt files on the victims' systems using previously unknown LukaLocker ransomware and leave a ransom note. The note threatens to inform clients and partners about the attack and sell data to scammers if the ransom is not paid.

Volcano Demon uses a double extortion technique, exfiltrating data to command-and-control (C2) services before encrypting it. They successfully locked Windows workstations and servers by exploiting common administrative credentials from the network. Tracking Volcano Demon has proven difficult due to their practice of clearing log files on targeted machines, which hampers comprehensive forensic evaluation.

West mentioned that the hackers, who spoke with a heavy accent, call very frequently, almost daily in some cases. However, the origin of the callers remains unclear as no recordings are available.

It is uncertain whether Volcano Demon operates independently or as an affiliate of a known ransomware group. Halcyon has not yet identified any such links.

Ransomware operators continue to evolve, with new threat actors emerging and targeting various industries. In May 2024, researchers identified a criminal gang named Arcus Media, operating a ransomware-as-a-service model and targeting victims in the U.S., U.K., India, and Brazil. Another group, Space Bears, appeared in April, quickly gaining notoriety for their corporate-themed data leak site and affiliations with the Phobos ransomware-as-a-service group. Researchers suggest that these groups may be more organized and funded than previously anticipated.