Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label phone call intimidation. Show all posts

This New Ransomware Group Uses Phone Calls to Pressure Victims

 



Researchers have identified a new ransomware group called Volcano Demon, responsible for at least two successful attacks in the past two weeks. Tim West, an analyst at cybersecurity firm Halcyon, revealed that the group targeted companies in the manufacturing and logistics industries. However, further details about the targets were not disclosed.

Unlike typical ransomware groups, Volcano Demon does not have a public leaks website. Instead, they use phone calls to intimidate and negotiate payments with leadership at the victim organizations. These calls, often threatening, originate from unidentified numbers.

Before making the calls, the hackers encrypt files on the victims' systems using previously unknown LukaLocker ransomware and leave a ransom note. The note threatens to inform clients and partners about the attack and sell data to scammers if the ransom is not paid.

Volcano Demon uses a double extortion technique, exfiltrating data to command-and-control (C2) services before encrypting it. They successfully locked Windows workstations and servers by exploiting common administrative credentials from the network. Tracking Volcano Demon has proven difficult due to their practice of clearing log files on targeted machines, which hampers comprehensive forensic evaluation.

West mentioned that the hackers, who spoke with a heavy accent, call very frequently, almost daily in some cases. However, the origin of the callers remains unclear as no recordings are available.

It is uncertain whether Volcano Demon operates independently or as an affiliate of a known ransomware group. Halcyon has not yet identified any such links.

Ransomware operators continue to evolve, with new threat actors emerging and targeting various industries. In May 2024, researchers identified a criminal gang named Arcus Media, operating a ransomware-as-a-service model and targeting victims in the U.S., U.K., India, and Brazil. Another group, Space Bears, appeared in April, quickly gaining notoriety for their corporate-themed data leak site and affiliations with the Phobos ransomware-as-a-service group. Researchers suggest that these groups may be more organized and funded than previously anticipated.