Threat Research

Insights into Code Similarity for Tracking Ransomware Gang Activities – Emanuele De Lucia

Securonix

Halcyon, Inc. identified LukaLocker as a new ransomware strain operated by Volcano Demon, targeting Windows and Linux with file encryption and data-leakage threats. The article analyzes LukaLocker’s code similarities with prior malware and explains its deployment via the Nitrogen malvertising campaign, including potential links to BlackCat/Alphv affiliates.
#LukaLocker #VolcanoDemon #Nitrogen #BlackCat #Alphv #Conti

Keypoints

  • LukaLocker is a new ransomware strain identified by Halcyon, Inc. on July 1, 2024.
  • The ransomware is operated by a threat actor known as Volcano Demon.
  • LukaLocker targets both Windows and Linux systems.
  • It encrypts files and demands a ransom for decryption, with threats to leak stolen data.
  • Technical analysis shows code overlaps with other malware, suggesting shared development patterns.
  • The Nitrogen malvertising campaign delivers LukaLocker, leveraging trojanized installers and DLL loading.
  • Past BlackCat/Alphv activity and potential affiliate connections are discussed as context.

MITRE Techniques

  • [T1218.011] Signed Binary Proxy Execution: DLL Side-Loading – Execution of malicious payloads through DLL sideloading. ‘Execution of malicious payloads through DLL sideloading.’
  • [T1195] Supply Chain Compromise – Installation of malware via trojanized software installers. ‘Installation of malware via trojanized software installers.’
  • [T1068] Exploitation for Privilege Escalation – Exploitation of vulnerabilities in legitimate software. ‘Exploitation of vulnerabilities in legitimate software.’
  • [T1027] Obfuscated/Compressed Files and Information – Use of encryption and obfuscation techniques to avoid detection. ‘Use of encryption and obfuscation techniques to avoid detection.’
  • [T1059] Command and Scripting Interpreter – Dynamic code execution to evade static analysis. ‘Dynamic code execution to evade static analysis.’
  • [T1552] Unsecured Credentials – Potential data theft during ransomware deployment. ‘Potential data theft during ransomware deployment.’
  • [T1041] Exfiltration – Threat to leak stolen data if ransom is not paid. ‘Threat to leak stolen data if ransom is not paid.’
  • [T1486] Data Encrypted for Impact – File encryption to deny access to victims. ‘File encryption to deny access to victims.’

Indicators of Compromise

  • [File hash] LukaLocker-related samples – 30390db8ef77afdb6add86f7f2990a142823401078ab237020933d0423374b27, d949cc181b6163bd4f1717d0218b993d9009c79e45aff578946ebe79e82974da

Read more: https://www.emanueledelucia.net/malwares-shared-secrets-code-similarity-insights-for-ransomware-gangs-activities-tracking/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint