Knight Ransomware Windows Computer

Knight ransomware, a relatively new ransomware gang that first appeared in August 2023, targets Windows computers to steal sensitive data.

Several industrial sectors have been attacked by the Knight ransomware organization, which includes retail and healthcare organizations, such as dentist offices, physicians’ clinics, and hospitals.


According to Fortinet’s classification of victim organizations by nation, the United States leads by a wide margin.

Figure 2: Top countries targeted by Knight ransomware (source: FortiRecon).
Countries targeted by Knight ransomware

Specifics of Knight Ransomware

The group uses double extortion, in which the Knight ransomware encrypts files on victims’ computers and then steals data to carry out its extortion goal.

Files encrypted by the Knight ransomware are added with a “.knight_l” file extension once a network has been infiltrated and data has been exfiltrated. It then leaves a ransom note with the title “How To Restore Your Files.txt.”

Figure 4: Ransom note dropped by the Knight ransomware.
Ransom Note

The Knight ransomware targets businesses, which is why the ransom amount is set so high. The Bitcoin wallet in this ransom note has no documented transactions.

Victims may contact the threat actor via a TOR website owned by the Knight ransomware gang. There is a list of victims as well as stolen data placed there.

Figure 6: Post regarding a victim with ongoing negotiation.
Post regarding a victim with the ongoing negotiation

This group has also exploited several openly accessible file-sharing platforms, including Mega, Gofile, and UploadNow, and utilizes another TOR site to reveal stolen content.


“Due to the ease of disruption, damage to daily operations, the potential impact on an organization’s reputation, and the unwanted destruction or release of personally identifiable information (PII), etc., it is vital to keep all AV and IPS signatures up to date,” the company recommends.

The FBI has a Ransomware Complaint website where victims may submit screenshots of ransomware activity through their Internet Crimes Complaint Centre (IC3). This portal is available to both people and organizations afflicted by ransomware.

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Try a free trial to ensure 100% security.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.