The Volcano Demon group has recently come to light for spreading a new ransomware named LukaLocker, with Idealease Inc., a truck leasing company, being one of the primary targets. This group has been actively targeting various security, monitoring, and backup services, including popular antivirus programs such as Trend Micro, Malware Bytes, Sophos, and McAfee. If any of these security measures are identified on the target machine, the malware disables them to carry out its malicious activities.
In recent times, the Volcano Demon group has been linked to several successful cybercrime attacks, with a specific focus on industrial and logistic sectors. The group tends to intimidate the leadership of the victim organization and engages in negotiations for payments over the phone.
The LukaLocker ransomware, utilized by the Volcano Demon group, is coded in C++ and presented as an x64 binary. To evade detection, analysis, and reverse engineering, the ransomware employs dynamic API resolution and API obfuscation to conceal its harmful intent. Upon execution, the malware opens a command prompt window that displays a list of processes it attempts to terminate. Subsequently, it encrypts files on the system and appends “.NBA” to their filenames while placing a ransom note named readme.txt on the desktop.
The ransom note warns the victim that their corporate network has been encrypted, and sensitive data has been accessed by the attackers. To retrieve the encrypted files, the victim is instructed to engage in a conversation with the operator via the qTox encrypted chat client, which is designed to bypass government surveillance.
The Volcano Demon group has a tendency to encrypt victims’ data before making contact. Following the encryption, they issue a ransom note to inform the target organization of the breach. Failure to comply with their demands leads to threats of exposing the compromised data to clients, partners, or even selling it to other malicious entities. These tactics create a sense of urgency for victims to comply with the extortion scheme.
Ransomware operators are continuously evolving their strategies, prompting businesses to reinforce their security measures to counter these threats effectively. With the emergence of new threat actors targeting various industries, it is imperative for organizations to enhance their defenses against cyberattacks to safeguard their data and operations.
As the landscape of cyber threats continues to evolve, proactive measures like implementing robust security protocols and staying informed about the latest trends in cybersecurity are essential to mitigate risks and protect sensitive information. Organizations are advised to leverage advanced security solutions like Cynet XDR for automated detection and response to strengthen their cybersecurity posture and defend against emerging threats.