Halcyon Identifies New Ransomware Operator Volcano Demon Serving Up LukaLocker

Halcyon has encountered a new ransomware organization our researchers are tracking as Volcano Demon following several attacks in the past two weeks.  

The following encryptor sample dubbed LukaLocker was identified encrypting victim files with the .nba file extension. In addition, multiple attack tools were identified with IOCs noted in the table below. A linux version of LukaLocker was also identified on the victim’s network.

Volcano Demon was successful in locking both Windows workstations and servers after utilizing common administrative credentials harvested from the network. Prior to the attack, data was exfiltrated to C2 services for double extortion techniques.  

Logs were cleared prior to exploitation and in both cases, a full forensic evaluation was not possible due to their success in covering their tracks and limited victim logging and monitoring solutions installed prior to the event.

During both cases, the threat actor features no leak site and uses phone calls to leadership and IT executives to extort and negotiate payment. Calls are from unidentified caller-ID numbers and can be threatening in tone and expectations.  

Ransom Note

Indicators of Compromise

The following artifacts were associated with Volcano Demon. At the time of publishing, all were uploaded to VT with multiple being flagged:

‍Encryptor Overview

The LukaLocker sample analyzed in this report was discovered on 15 June 2024. The ransomware is an x64 PE binary written and compiled using C++. LukaLocker ransomware employs API obfuscation and dynamic API resolution to conceal its malicious functionalities -- evading detection, analysis and reverse engineering:

Command Line Options

‍

Note that some of these command-line options are not functional since there is no code implemented by the ransomware author to support these. These are:

• -l <log_file>: although it creates a specified log file, nothing is written to it and remains at 0 bytes.  

• Modes “net” and “backups”: unsupported modes and does nothing.  Inferring from the names, these options are used to target network shares and backup files for encryption.  

• -s <int>: unknown command-line option, no code implemented.  Possibly a debugging switch.

Evasion Tactics

Service Stop

Upon execution, unless “--sd-killer-off” is specified, LukaLocker immediately terminates some services similar to and possibly copied from Conti ransomware. The services include the following:

Antivirus and Endpoint Protection

• Sophos

• Symantec

• McAfee

• Avast

• Defender

• Malwarebytes

• Windows Defender

• BitDefender

• Spyhunter

• Kaspersky

• SentinelOne

Backup and Recovery

• Acronis

• Symantec

• Veeam

• SQL Safe

Databases

• Microsoft SQL Server

• MySQL

• IBM DB2

• Oracle

E-Mail Servers

• Microsoft Exchange

Virtualization and Cloud

• VMWare

• BlueStripe

• ProLiant

Remote Access and Monitoring

• Alerter

• Eventlog

• UI0Detect

• WinVNC4

Process Stop

Upon execution, unless “--sd-killer-off” is specified, LukaLocker immediately terminates some processes.  The processes include the following:

Antivirus and Security Software

• Symantec/Norton

• McAfee

• AVG

• Kaspersky

• Bitdefender

• Trend Micro

• Malware Bytes

System Monitoring and Management

• VMware

• Proficy

• Microsoft

• IBM

• BMC

Database and Storage Services

• Microsoft SQL Server

• Oracle

• MySQL

Cloud and Remote Access Tools

• TeamViewer

• VNC

• Google

Web Browsers

• Firefox

• Chrome

Office and Productivity Software

• Microsoft Office

File Selection

The following directories are avoided during encryption:

The following extensions are avoided, all others are included:

‍

File Encryption

The Chacha8 cipher is used for bulk data encryption. The Chacha8 key and nonce are randomly-generated, with the key generated through the Elliptic-curve Diffie–Hellman (ECDH) key agreement algorithm over Curve25519. The ECDH file public key and the nonce are stored in the footer.

The file itself allows for full encryption or partial supporting 100%, 50%, 20%, or 10% of the file data being encrypted. The following is the footer that is used by the ransomware:

‍

‍

Halcyon.ai is the leading anti-ransomware company. Global 2000 companies rely on the Halcyon platform to defeat ransomware with minimal business disruption through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration and extortion prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS (Ransomware as a Service) and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile, and check out the Recent Ransomware Attacks resource site.