October 2, 2023

Cybercriminals deliberately rebranded their names and subsequently took the center stage of the cyber threat landscape. Here, we will see one such incident that came into the limelight recently.

The incident happened with the fake TripAdvisor complaint emails that distributed the Knight ransomware. This unravels the meticulously orchestrated attack, unearthing its multifaceted mechanisms.

The origins trace back to the emergence of the Cyclops ransomware operation in May 2023. Operating within the realm of Ransomware-as-a-Service (RaaS), Cyclops embarked on a journey to recruit affiliates on the RAMP hacking forum equipped with encryptors targeting Windows, macOS, and Linux/ESXi systems. Unlike conventional RaaS offerings, Cyclops introduced a distinct twist, information-stealing malware for both Windows and Linux, signaling a shift in the threat landscape.


Cyclops has showcased an array of capabilities beyond the typical ransomware feature set. Alongside the standard encryptors, the operation unraveled a ‘lite’ version, tailor-made for high-impact spam campaigns. This streamlined variant had a fixed ransom amount, forsaking the intricate negotiation with victims.

Cyclops undertook a makeover, giving birth to the Knight ransomware. This rebranding maneuver accompanied updates to the lite encryptor, including support for ‘batch distribution,’ amplifying the potency of mass campaigns.

This riveting saga takes an unsuspecting turn as Knight ransomware hitches a ride on seemingly innocuous TripAdvisor complaint emails. A vigilant eye from the researchers cloaked as TripAdvisor complaints, these emails harbor ZIP file attachments bearing intriguing names such as ‘TripAdvisorComplaint.zip’ The twist comes to life as these attachments harbor a concealed executable—’TripAdvisor Complaint – Possible Suspension.exe’— a mere culprit

The Knighrlt ransomware unfolds its sophistication with an HTML attachment named ‘TripAdvisor-Complaint-[random].PDF.htm’ emerges, cunningly crafted to exploit Mr.D0x’s Browser-in-the-Browser phishing technique. Users who open this attachment find themselves confronted with a faux browser window, seemingly linked to TripAdvisor. Beneath the surface, however, lies the impending doom. The ‘Read Complaint’ button serves as the gateway to malicious intent, setting the stage for a cascade of events.


A novel chapter unfurls as Knight ransomware capitalizes on the unsuspecting trust in Microsoft Excel. The attacker wields Excel-DNA—a powerful tool that integrates .NET into Excel—as the Trojan horse of choice. The unassuming XLL file, ‘TripAdvisor_Complaint-Possible-Suspension.xll,’ lulls victims into a false sense of security. Upon activation, Excel identifies the Mark of the Web, inhibiting the .NET add-in. Yet, in the absence of the MoTW flag, the unsuspecting user faces a pivotal decision—to enable or not to enable.

Enable the add-in, and the Knight Lite ransomware encryptor infiltrates, initiating a stealthy encryption dance. Files succumb, marked by the .knight_l extension—a stark reminder of the lurking danger. The ransom note, a sinister manuscript named ‘How To Restore Your Files.txt,’ emerges in each conquered folder. The demand: a hefty $5,000, channeled through Bitcoin. The stakes escalate as victims are beckoned to a Tor site, a portal to decryption salvation or bitter deceit.


  • Promoting user awareness and education is crucial in preventing successful attacks. Users should exercise caution when handling email attachments, visiting suspicious websites, or downloading files from untrusted sources. Implementing robust email filtering and providing education on phishing techniques can effectively mitigate such risks.
  • Perform regular backups of critical data to mitigate the impact of ransomware attacks. Your backups should be securely stored and periodically tested to ensure data integrity and availability.
  • Regularly updating your security software and conducting system scans can help detect and prevent such threats.
  • Transmission of stolen data to an attacker’s server highlights the importance of network monitoring and intrusion detection systems (IDS). Organizations should invest in robust network security measures to identify and block suspicious outbound traffic.
  • Organizations should prioritize implementing multi-factor authentication (MFA) for critical systems and sensitive data access. MFA adds an extra layer of security, making it more challenging for attackers to gain unauthorized access by requiring additional authentication factors.

As the curtains draw on this cyber narrative, profound lessons emerge. The Knight ransomware campaign paints an intricate picture of relentless ingenuity and calculated malice. Cybersecurity professionals are urged to embrace vigilance and collaborative defenses. The battle against such pernicious threats demands more than ever—real-time threat intelligence, adaptive security measures, and unwavering unity. As the digital landscape evolves, enterprises must evolve in parallel, arming themselves with knowledge and resilience.

Leave a Reply

%d bloggers like this: