Volcano Demon: New Ransomware Gang Targets Windows & Linux

Volcano Demon ransomware
Volcano Demon Ransomware Note

Halcyon’s research team has identified a new ransomware group dubbed “Volcano Demon,” responsible for a series of recent attacks. The group’s ransomware, LukaLocker, encrypts files with the .nba extension and targets both Windows and Linux systems. Volcano Demon has successfully breached organizations by exploiting weak or reused administrative credentials and exfiltrating data before deploying the ransomware.

Volcano Demon Ransomware Note | Image: Halcyon

Volcano Demon’s attack strategy begins with harvesting common administrative credentials from the network. Utilizing these credentials, they lock down both Windows workstations and servers, ensuring maximum disruption. Prior to encryption, data is exfiltrated to command-and-control (C2) services, setting the stage for a double extortion scenario.

One of the standout features of LukaLocker is its ability to cover its tracks effectively. Logs are cleared prior to exploitation, making forensic evaluations challenging. Limited logging and monitoring solutions in victim environments further complicate the detection of these attacks. The ransomware employs API obfuscation and dynamic API resolution, concealing its malicious functionalities and evading reverse engineering efforts.

Unlike many ransomware operators who use leak sites to pressure victims, Volcano Demon takes a more direct approach. They contact leadership and IT executives via phone calls from unidentified numbers, making threatening demands for payment. This tactic adds a personal and intimidating element to their extortion efforts, increasing the pressure on victims to comply.

Organizations are urged to strengthen their security posture by implementing strong password policies, regularly updating software, and employing robust security solutions. Additionally, having a well-defined incident response plan can help mitigate the impact of ransomware attacks.

For more detailed information and updates on LukaLocker and Volcano Demon, visit the Halcyon Research Team’s report.