A new player in the ransomware landscape, known as Volcano Demon, has made waves with its unique and aggressive approach. Researchers at cybersecurity firm Halcyon recently revealed that the group has executed at least two successful attacks in just the past fortnight.
Targeting firms in the manufacturing and logistics sectors, Volcano Demon has garnered attention for its unorthodox methods. Unlike traditional ransomware groups that rely on public leak sites, this group employs phone calls to intimidate and negotiate ransoms directly with the executives of their victim organizations. These calls come from obscure numbers and often carry an ominous tone, as reported by Tim West, a Halcyon analyst, to Recorded Future News.
The group's modus operandi begins with the deployment of a new strain of ransomware, dubbed LukaLocker. Following the encryption of files on the victims' systems, the attackers leave behind a ransom note with a chilling warning:
“If you ignore this incident…we will ensure your clients and partners learn everything, and the attacks will persist. Some of the data will be sold to scammers who will target your clients and employees,” the note threatens.
Volcano Demon’s tactics include exploiting common administrative credentials to lock down Windows workstations and servers. They employ a double extortion strategy by first exfiltrating sensitive data to their command-and-control (C2) servers before encrypting it.
Tracking these cyber criminals has proven difficult. They erase log files from the compromised systems, making a thorough forensic investigation nearly impossible. West noted that the attackers speak with a heavy accent, but without recordings, pinpointing their origin remains elusive.
The group’s frequent phone calls—sometimes daily—add to the pressure on their victims. While Halcyon has not yet determined if Volcano Demon operates independently or is affiliated with another ransomware group, their methods mark a significant departure from the norm.
The ransomware landscape continues to evolve with the emergence of new and sophisticated actors. For instance, the criminal syndicate Arcus Media was identified in May 2024, offering a ransomware-as-a-service model (RAAS) and targeting victims across the globe. Another newcomer, Space Bears, gained notoriety earlier in April with their corporate-themed data leak site and alliances with established ransomware groups.
These developments indicate that the ransomware threat is becoming increasingly organized and well-funded, posing a growing challenge for cybersecurity professionals worldwide.
Author: Security Origin www.securityorigin.com
Comentários