Security researchers discovered a new ransomware group that frequently makes phone calls to pressure victims into paying up.
The group Dubbed “Volcano Demon,” reportedly been active over the last two weeks of June and has already launched several attacks. Volcano Demon has been observed using a ransomware variant called LukaLocker, which encrypts victim files with a .nba extension.
There are multiple attack tools being used by the ransomware group, including a Linux version of LukaLocker. The ransomware has successfully locked both Windows workstations and servers by exploiting common administrative credentials harvested from the network.
Volcano Demon has been identified as using a double-tap or double extortion method, where after gaining access to a victim’s computer or system, the ransomware operator not only steals files but also encrypts them. The ransomware group then demands payment both for a decryption key and a promise not to sell or publish the stolen data.
Though they are new,Volcano Demon’s unlike its ransomware contemporaries, Volcano Demon doesn’t have a dark web leak site to coerce victims, but instead takes a more old-fashioned and direct approach: It repeatedly calls its victims.
In the observed cases, those behind Volcan Demo used phone calls to leadership and information technology executives to extort them and negotiate payment. The calls were from unidentified caller ID numbers and are said to have been threatening in tone and expectations at times.
To mitigate against the risk of the Volcano Demon attack, it’s important to ensure robust logging and monitoring solutions to detect and respond to ransomware attacks effectively.
Organizations should review their security posture to ensure that administrative credentials are securely managed and comprehensive backup and recovery strategies are in place to mitigate ransomware impacts. Maintaining up-to-date antivirus and endpoint protection services and regular system audits is also noted as being crucial for early detection and prevention of ransomware attacks.
This research was documented by researchers from Halcyon.
Indicators of Compromise
- f83abe3d9717238755f1276c87b3b320d8c30421984a897099ce3741d9143906
- 4e58629158a6c46ad420f729330030f5e0b0ef374e9bb24cd203c89ec3262669
- ac08ab5bfc5f2cfa0703115a0e2b61decc5158ec0d8a99ebc0824da2b4c3d25
- ed32ebb15d4abe262a34e54408ebb0680b62dc975bf6c02652d28006f45fca14
