July 3, 2024 at 12:52PM
A new ransomware player, Volcano Demon, has emerged with innovative locker malware, LukaLocker, and sophisticated evasion tactics, hampering forensic analysis. It employs double extortion, exfiltrates data, and demands ransom via qTox messaging. The malware terminates various security and monitoring services, posing a significant threat. vigilance and IoC monitoring are crucial.
After reviewing the meeting notes, the key takeaways are:
– A new ransomware player named “Volcano Demon” has emerged, using innovative locker malware called LukaLocker to encrypt victim files with the .nba file extension.
– Volcano Demon employs various evasion tactics to cover its tracks, including clearing logs, limited victim logging and monitoring, and using “No Caller ID” numbers for threatening phone calls to extort or negotiate ransom.
– The attacker utilizes common administrative credentials to deploy LukaLocker on both Windows workstations and servers, and exfiltrates data to its command-and-control server (C2) for double extortion.
– The ransom note instructs victims to contact the attackers through the qTox messaging software and wait for technical support to call back, making it challenging to track communications.
– The LukaLocker ransomware uses API obfuscation and dynamic API resolution to evade detection, analysis, and reverse engineering, similar to defunct Conti ransomware.
– The locker utilizes the Chacha8 cipher for data encryption and exhibits extensive evasion capabilities that hinder full forensic analysis by security experts.
– Several indicators of compromise (IoC) of the attackers have been identified, including a Trojan, Protector.exe, the Locker.exe encryptor, a Linux cryptor file, and command-line scripts.
These takeaways provide a comprehensive overview of the Volcano Demon ransomware attacks and its sophisticated evasion and encryption techniques.