A newly discovered ransomware group has dispensed with the usual leak site and is instead targeting executives in victim organizations with threatening phone calls, according to Halcyon.
The cybersecurity vendor claimed in a brief blog post this week that the “Volcano Demon” group has been responsible for several attacks in the past fortnight, deploying a novel ransomware variant.
Dubbed “LukaLocker,” the ransomware encrypts files with the .nba extension. The group behind it has gone to plenty of effort to ensure it evades detection and analysis.
“The ransomware is an x64 PE binary written and compiled using C++,” the report explained. “LukaLocker ransomware employs API obfuscation and dynamic API resolution to conceal its malicious functionalities – evading detection, analysis and reverse engineering.”
Read more on ransomware: UK Logistics Firm Forced to Close After Ransomware Breach
Upon execution, the ransomware terminates various services and processes, including backup and endpoint detection, AV, system monitoring and remote access.
“Volcano Demon was successful in locking both Windows workstations and servers after utilizing common administrative credentials harvested from the network. Prior to the attack, data was exfiltrated to C2 services for double extortion techniques,” Halcyon continued.
“Logs were cleared prior to exploitation and in both cases, a full forensic evaluation was not possible due to their success in covering their tracks and limited victim logging and monitoring solutions installed prior to the event.”
Most notable is that the group appears not to run a data leak site, but instead picks up the phone to pressure “leadership and IT executives” in victim organizations directly into paying the ransom.
“Calls are from unidentified caller-ID numbers and can be threatening in tone and expectations,” warned Halcyon.
The ransom note is also written in an uncompromising tone.
“Your corporate network has been encrypted. And that’s not all – we studied and downloaded a lot of your data,” it reads.
“If you ignore this incident, we will ensure that your confidential data is widely available to the public. We will make sure that your clients and partners know about everything, and attacks will continue. Some of the data will be sold to scammers who will attack your clients and employees.”
New Tactics Demand a Change in Incident Response
Adam Pilton, senior cybersecurity consultant at CyberSmart, said the use of phone-based extortion complicates incident response efforts.
“With a telephone call coming from an unknown number at an unknown time into the business, the number of variables increases, meaning you may need a negotiator on hand and available at all times,” he argued. “This increases the cost of the negotiator service. It also means that the negotiator has to be prepared for all eventualities.”
However, there could also be new leads for law enforcement to follow, Pilton added.
“Traditionally, IP addresses are very simple to hide behind and although telephone data can be obscured, the information the attacker gives away is potentially so much more,” he said. “Here will be voice data and potential background noise, as well as the call connection records.”