Threat Research

Ransomware Roundup – Knight | FortiGuard Labs

Securonix

Fortinet’s FortiGuard Labs details Knight ransomware, a relatively new double-extortion group active since August 2023 that encrypts files and exfiltrates data for ransom. The report covers infection via phishing campaigns delivering Knight through Remcos and Qakbot droppers, victimology across industries (notably US retail and healthcare), and defense guidance including Fortinet protections and best practices. #KnightRansomware #Cyclops #Remcos #Qakbot #Fortinet #FortiRecon #TOR

Keypoints

  • Knight ransomware is a relatively new double-extortion group arriving in August 2023 and has Cyclops as its predecessor.
  • Infection vector includes phishing campaigns with malicious attachments delivering Knight via Remcos and Qakbot.
  • Victimology covers multiple industries, with the United States leading; retail is most affected, followed by healthcare providers.
  • Execution includes adding a .knight_l extension to encrypted files and a ransom note titled “How To Restore Your Files.txt”.
  • Ransom note indicates high pricing; the Bitcoin wallet showed no transactions at the time of investigation.
  • Data leak sites on TOR and use of public file-sharing services (Mega, Gofile, UploadNow) to disclose stolen data and victims.
  • Fortinet protections include AV signatures, FortiEDR, and web filtering to block known Knight droppers and maintain up-to-date defenses; backups and Zero Trust strategies recommended.

MITRE Techniques

  • [T1566.001] Phishing – Targeted Italian organizations with phishing campaigns using emails with malicious attachments. Quote: ‘According to an advisory by CERT Italy in early September, Knight targeted Italian organizations with phishing campaigns using emails with malicious attachments.’
  • [T1486] Data Encrypted for Impact – Knight encrypts files on victims’ machines and exfiltrates data for extortion purposes. Quote: ‘encrypts files on victims’ machines and exfiltrates data for extortion purposes.’
  • [T1041] Exfiltration Over C2 Channel – Knight exfiltrates data for extortion purposes. Quote: ‘exfiltrates data for extortion purposes.’

Indicators of Compromise

  • [SHA-256] Knight ransomware file hashes – 1112d8346ee413ac8aecaf5bc0dc5400041669116a5a596c6be2e24c6886849d, 2bfababf54992c32afced15b355cf7fcf7c6b0783cfee9086e80893d5f5124ed
  • [File Extension] Knight encrypted file extension – .knight_l
  • [File Name] Ransom note – How To Restore Your Files.txt
  • [URL] Knight ransomware dropper location – hxxp://89.23.96.203/333/1[.]exe, hxxp://89.23.96.203/333/2[.]exe

Read more: https://www.fortinet.com/blog/threat-research/ransomware-roundup-knight

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint