Ransomware Eruption: Novel Locker Malware Flows From ‘Volcano Demon'

A double-extortion ransomware player has exploded onto the scene with several attacks in two weeks, wielding innovative locker malware and a slew of evasion tactics for covering its tracks and making it difficult for security experts to investigate.

Tracked as "Volcano Demon" by the researchers at Halcyon who discovered it, the newly discovered adversary is characterized by never-before-seen locker malware, dubbed LukaLocker, that encrypts victim files with the .nba file extension, according to a blog post published this week.

The attacker's evasion tactics include the installation of limited victim logging and monitoring solutions prior to exploitation and the use of "threatening" phone calls from "No Caller ID" numbers to extort or negotiate a ransom.  

"Logs were cleared prior to exploitation and in both cases, a full forensic evaluation was not possible due to their success in covering their tracks," the Halcyon Research Team wrote in the post. Volcano Demon also has no leak site for posting data it steals during its attacks, though it does use double extortion as a tactic, the team said.

In its attacks, Volcano Demon used common administrative credentials harvested from the networks of its victims to load a Linux version of LukaLocker, then successfully locked both Windows workstations and servers. Attackers also exfiltrated data from the network to its own command-and-control server (C2) prior to ransomware deployment so it could use double extortion.

A ransom note instructs victims to contact attackers through the qTox messaging software and then wait for technical support to call them back, making it difficult to track the communication between the parties, according to Halcyon.

Remnants of Conti?

Halycon researchers first discovered a sample of what it now calls LukaLocker on June 15, according to the post. "The ransomware is an x64 PE binary written and compiled using C++," the team wrote. "LukaLocker ransomware employs API obfuscation and dynamic API resolution to conceal its malicious functionalities — evading detection, analysis, and reverse engineering."

Upon execution, unless "--sd-killer-off" is specified, LukaLocker immediately terminates some security and monitoring services present on the network similar to and possibly copied from the prolific but now-defunct Conti ransomware, according to the post. These services include various antivirus and endpoint protection; backup and recovery tools; database software by Microsoft, IBM, and Oracle, among others; Microsoft Exchange Server; virtualization software; and remote access and monitoring tools. It also terminates other processes, including Web browsers, Microsoft Office, and cloud and remote access software, such as TeamViewer.

The locker uses the Chacha8 cipher for bulk data encryption, randomly generating the Chacha8 key and nonce through the Elliptic-curve Diffie-Hellman (ECDH) key agreement algorithm over Curve25519. Files can either be fully encrypted or at varying percentages, including 50%, 20%, or 10%.

Vigilance Required

Because of Volcano Demon's extensive evasion capabilities, it was difficult for the Halcyon team to do a full forensic analysis of the attacks; moreover, the researchers did not reveal the type of organizations targeted by the threat actor. Halcyon did, however, manage to identify various indicators of compromise (IoC) of the attackers, some of which have been uploaded to Virus Total.

These IoCs include a Trojan, Protector.exe, and the Locker.exe encryptor. A Linux cryptor file called Linux locker/bin and command-line scripts that precede encryption, Reboot.bat, also are hallmarks of an attack by the novel ransomware actor.

With ransomware remaining a prevalent and disruptive threat to global organizations despite various law-enforcement crackdowns that have taken out leading cybercriminal gangs, vigiliance is required among those in charge of defending networks. Given that Volcano Demon uses administrative passwords to organizations networks as an initial means of exploitation, defense tactics such as multifactor authentication (MFA) and employee training to identify phishing campaigns that put credentials in attackers' hands can help avoid compromise.