New Volcano Demon Ransomware Group Threatening Victims Over Phone Call

A novel malware known as Volcano Demon has been observed targeting Windows workstations and servers, obtaining administrative credentials from the network.

The threat actor doesn’t have a leak site and instead uses phone calls to executives in IT and leadership to demand and demand for money. 

EHA

Calls from unidentified caller ID numbers could reflect a threatening tone and expectations.  

Encrypting Victim Files

Dubbed LukaLocker, it was identified as encrypting victim files with the .nba file extension. On June 15, 2024, the LukaLocker sample that Halcyon researchers examined was found.

The ransomware is developed in C++ and compiled as an x64 PE binary.

"Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!"- Free Demo

The LukaLocker ransomware evades detection, analysis, and reverse engineering by hiding its destructive functions through the use of dynamic API resolution and API obfuscation.

The hackers used the LukaLocker ransomware to encrypt the victims’ files before making a phone call, and they left a ransom note.

“Your corporate network has been encrypt3d… We studied and downloaded a lot of your data, many of them have confidential status”, reads the ransom note.

“If you ignore this incident, we will make sure that your clients and partners know about everything, and attacks will continue. Some of the data will be sold to scammers who will attack your clients and employees”. 

Volcano Demon Ransomware Note

On the victim’s network, a Linux version of LukaLocker was also discovered.

Volcano Demon used shared administrator credentials that it had taken from the network to lock both Windows desktops and servers successfully.

Data was stolen and sent to C2 services in advance of the attack to use double extortion.

According to researchers, in both cases, limited victim logging and monitoring solutions were deployed before the event, and logs were removed before exploitation. As a result, a comprehensive forensic review was not possible.

Volcano Demon may or may not be a part of a well-known ransomware organization, however this is not yet clear.

Ransomware operators are still evolving; a number of new threat actors have surfaced recently, focusing on a wide range of businesses. 

Paying the ransom to the individual or organization is never a wise decision. Hence, organizations should refrain from paying ransoms since it encourages those involved to harm those around them.

Indicators Of Compromise

Are you from SOC/DFIR Teams? - Sign up for a free ANY.RUN account! to Analyse Advanced Malware Files

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.