Halcyon researchers identify Volcano Demon as a new ransomware operator deploying LukaLocker, with both Windows and Linux encryptors and indications of double extortion. The gang exfiltrates data to C2, clears logs, and extorts victims via phone calls to leadership, without a leak site.
#VolcanoDemon #LukaLocker
#VolcanoDemon #LukaLocker
Keypoints
- Halcyon identifies Volcano Demon as a new ransomware operator and LukaLocker as the encryptor used in recent attacks.
- The LukaLocker sample encrypts victim files with the .nba extension and has a Linux version detected on the network.
- Attackers exploited harvested administrative credentials to lock Windows workstations and servers, with data exfiltrated to C2 for double extortion.
- Threat actors cleared logs prior to exploitation, hindering forensic analysis due to limited victim logging and monitoring.
- There is no public leak site; extortion is conducted via threatening phone calls to leadership and IT executives from unidentified numbers.
- LukaLocker uses API obfuscation and dynamic API resolution to evade detection; encryption uses ChaCha8 with ECDH key exchange and stores the public key/nonce in the file footer.
- Evasion tactics include stopping security tools and targeted process termination, plus selective file/directory exclusions during encryption.
MITRE Techniques
- [T1041] Exfiltration Over C2 – Data was exfiltrated to C2 services for double extortion techniques. Quote: ‘data was exfiltrated to C2 services for double extortion techniques.’
- [T1078] Valid Accounts – Utilizes common administrative credentials harvested from the network. Quote: ‘utilizing common administrative credentials harvested from the network.’
- [T1070.001] Clear Windows Event Logs – Logs were cleared prior to exploitation. Quote: ‘Logs were cleared prior to exploitation.’
- [T1027] Obfuscated/Compressed Files and Information – LukaLocker employs API obfuscation and dynamic API resolution to conceal its malicious functionalities. Quote: ’employs API obfuscation and dynamic API resolution to conceal its malicious functionalities — evading detection, analysis and reverse engineering.’
- [T1059] Command and Scripting Interpreter – Command Line Options show how the malware accepts parameters (e.g., -p , -m ). Quote: ‘Command Line Options’ and ‘-p Encrypt target path then exit.’
- [T1486] Data Encrypted for Impact – LukaLocker encrypts victim files (e.g., .nba extension) as its core impact. Quote: ‘The LukaLocker sample analyzed in this report was discovered on 15 June 2024. The ransomware is an x64 PE binary…’
- [T1562.001] Impair Defenses – Stops security tools and services (e.g., Malwarebytes, Windows Defender, BitDefender, SentinelOne). Quote: ‘Upon execution, unless “–sd-killer-off” is specified, LukaLocker immediately terminates some services…’
Indicators of Compromise
- [File Name] Protector.exe – Trojan; associated with Volcano Demon; uploaded to VirusTotal (Yes; 38/73). Example: Protector.exe
- [File Name] Locker.exe – Encryptor; associated with Volcano Demon; uploaded to VirusTotal (Yes; 7/68). Example: Locker.exe
- [File Name] Linux locker.bin – Linux Encryptor; associated with Volcano Demon; not flagged on VirusTotal (No; 0/64). Example: Linux locker.bin
- [File Name] Reboot.bat – Command line scripts as precursors to encryption; associated with Volcano Demon; not flagged on VirusTotal (No; 0/64). Example: Reboot.bat
- [SHA256 Hash] f83abe3d9717238755f1276c87b3b320d8c30421984a897099ce3741d9143906 – Protector.exe
- [SHA256 Hash] 4e58629158a6c46ad420f729330030f5e0b0ef374e9bb24cd203c89ec3262669 – Locker.exe
- [SHA256 Hash] ac08ab5bfc5f2cfa0703115a0e2b61decc5158ec0d8a99ebc0824da2b4c3d25 – Linux locker.bin
- [SHA256 Hash] ed32ebb15d4abe262a34e54408ebb0680b62dc975bf6c02652d28006f45fca14 – Reboot.bat
- [File Extension] .NBA – Encryption extension used by LukaLocker
- [File Extension] .exe – Executable files that LukaLocker may target or consider in its exclusion list