Halcyon has encountered a new ransomware organization our researchers are tracking as Volcano Demon following several attacks in the past two weeks.
The following encryptor sample dubbed LukaLocker was identified encrypting victim files with the .nba file extension. In addition, multiple attack tools were identified with IOCs noted in the table below. A linux version of LukaLocker was also identified on the victim’s network.
Volcano Demon was successful in locking both Windows workstations and servers after utilizing common administrative credentials harvested from the network. Prior to the attack, data was exfiltrated to C2 services for double extortion techniques.
Logs were cleared prior to exploitation and in both cases, a full forensic evaluation was not possible due to their success in covering their tracks and limited victim logging and monitoring solutions installed prior to the event.
During both cases, the threat actor features no leak site and uses phone calls to leadership and IT executives to extort and negotiate payment. Calls are from unidentified caller-ID numbers and can be threatening in tone and expectations.
Ransom Note
Indicators of Compromise
The following artifacts were associated with Volcano Demon. At the time of publishing, all were uploaded to VT with multiple being flagged:
Encryptor Overview
The LukaLocker sample analyzed in this report was discovered on 15 June 2024. The ransomware is an x64 PE binary written and compiled using C++. LukaLocker ransomware employs API obfuscation and dynamic API resolution to conceal its malicious functionalities — evading detection, analysis and reverse engineering:
Command Line Options
Note that some of these command-line options are not functional since there is no code implemented by the ransomware author to support these. These are:
- -l <log_file>: although it creates a specified log file, nothing is written to it and remains at 0 bytes.
- Modes “net” and “backups”: unsupported modes and does nothing. Inferring from the names, these options are used to target network shares and backup files for encryption.
- -s <int>: unknown command-line option, no code implemented. Possibly a debugging switch.
Evasion Tactics
Service Stop
Upon execution, unless “–sd-killer-off” is specified, LukaLocker immediately terminates some services similar to and possibly copied from Conti ransomware. The services include the following:
Antivirus and Endpoint Protection
- Malwarebytes
- Windows Defender
- BitDefender
- SentinelOne
Backup and Recovery
Databases
- Microsoft SQL Server
E-Mail Servers
- Microsoft Exchange
Virtualization and Cloud
- BlueStripe
Remote Access and Monitoring
Process Stop
Upon execution, unless “–sd-killer-off” is specified, LukaLocker immediately terminates some processes. The processes include the following:
Antivirus and Security Software
- Symantec/Norton
- Bitdefender
- Trend Micro
- Malware Bytes
System Monitoring and Management
Database and Storage Services
- Microsoft SQL Server
Cloud and Remote Access Tools
- TeamViewer
Web Browsers
Office and Productivity Software
- Microsoft Office
File Selection
The following directories are avoided during encryption:
The following extensions are avoided, all others are included:
File Encryption
The Chacha8 cipher is used for bulk data encryption. The Chacha8 key and nonce are randomly-generated, with the key generated through the Elliptic-curve Diffie–Hellman (ECDH) key agreement algorithm over Curve25519. The ECDH file public key and the nonce are stored in the footer.
The file itself allows for full encryption or partial supporting 100%, 50%, 20%, or 10% of the file data being encrypted. The following is the footer that is used by the ransomware:
Halcyon.ai is the leading anti-ransomware company. Global 2000 companies rely on the Halcyon platform to defeat ransomware with minimal business disruption through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration and extortion prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS (Ransomware as a Service) and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile, and check out the Recent Ransomware Attacks resource site.