A surge in ransomware attacks has been attributed to a new player known as “Volcano Demon,” a double-extortion ransomware entity that has been wreaking havoc over the past couple of weeks. This cybercriminal group has been employing sophisticated techniques to encrypt victim files and cover its tracks, making it challenging for cybersecurity experts to trace and investigate their activities.

According to researchers at Halcyon who first spotted this threat, Volcano Demon is utilizing innovative locker malware named LukaLocker, which encrypts files with the .nba extension. The attackers have been employing various evasion tactics to avoid detection, including clearing logs before the exploitation, limiting victim monitoring tools, and using threatening phone calls from untraceable numbers to extort ransom payments.

The Halcyon Research Team noted in a recent blog post that Volcano Demon has no leak site for posting stolen data but employs double extortion as a strategy to increase pressure on their victims. The attackers have been leveraging common administrative credentials to deploy LukaLocker on victim networks, locking both Windows workstations and servers while exfiltrating data to their command-and-control server for further exploitation.

Victims of Volcano Demon are instructed to contact the attackers through the qTox messaging software and await technical support, making it difficult to monitor and intercept communications between the parties involved. The ransom note serves as a chilling reminder of the increasing sophistication and ruthlessness of modern ransomware operators.

The discovery of LukaLocker by the Halcyon researchers has raised concerns about the potential connection to the notorious Conti ransomware group. The malware employs obfuscation techniques and dynamic API resolution to avoid detection, similar to tactics used by Conti in the past. The attackers have been found to terminate security services and other monitoring tools on victim networks, demonstrating a high level of sophistication in their operations.

The use of the Chacha8 cipher for data encryption and the Elliptic-curve Diffie-Hellman key agreement algorithm highlights the technical prowess of the Volcano Demon group. Files are encrypted with varying percentages, adding another layer of complexity to the decryption process for victims.

Given the advanced evasion capabilities of Volcano Demon, organizations are being urged to remain vigilant and enhance their cybersecurity defenses. The Halcyon team has identified several indicators of compromise associated with the attackers, including Trojan files and command-line scripts used in the ransomware attacks.

As the threat landscape continues to evolve, it is essential for businesses and individuals to stay informed about the latest cybersecurity trends and take proactive measures to protect their data from ransomware attacks. The emergence of groups like Volcano Demon underscores the need for robust cybersecurity protocols and a proactive security posture to mitigate the risks posed by increasingly sophisticated threat actors.

Source link