Volcano Demon ransomware gang utilizes novel tactics for ransomware extortion.
A previously unknown ransomware group dubbed “Volcano Demon” has been infecting organizations for the past two weeks using a new ransomware variant called “LukaLocker”, according encrypting files with the .nba extension.
What sets this threat apart from other Ransomware attacks is their unique extortion methods. Instead of publishing stolen data to a leak site as most Ransomware operators do, the Volcano Demon ransomware gang has been directly phoning leadership and IT executives at victim organizations in threatening phone calls demanding ransom payments.
“Calls are from unidentified caller-ID numbers and can be threatening in tone and expectations,” warned Halcyon in their analysis. They note this novel approach increases the risk and complications for victims, as phones calls can come at any time directly to key staff.
The LukaLocker Ransomware itself utilizes various evasion and anti-analysis techniques to avoid detection. It terminates processes like backups, AV and monitoring services upon execution to help encryption spread. According to Halcyon’s investigation, the attackers were able to leverage harvested credentials to encrypt both workstations and servers across impacted networks. Logs were also cleared to limit forensic evidence.
Ransom Note Threatens Further Attacks and Data Leaks
The ransom note left after infection takes an uncompromising tone, threatening not just continued attacks but to leak stolen data if victims do not pay up. “Your corporate network has been encrypted. And that’s not all – we studied and downloaded a lot of your data,” it warns.
“If you ignore this incident, we will ensure that your confidential data is widely available to the public. We will make sure that your clients and partners know about everything, and attacks will continue. Some of the data will be sold to scammers who will attack your clients and employees.”
This double extortion tactic of both encrypting systems and threatening to leak stolen sensitive information is a common technique among many modern Ransomware operators looking to pressure victims into paying ransoms. However, directly contacting leadership by phone rather than just online leaks represents a concerning escalation.
Incident Response Challenges with Phone-Based Extortion
Cybersecurity expert Adam Pilton from CyberSmart commented on the complications this new phone-based extortion approach brings. As calls can come from unknown numbers at any time, organizations may need “a negotiator on hand and available at all times” adding to incident response costs.
However, Pilton also sees potential opportunities for law enforcement. “Here will be voice data and potential background noise, as well as the call connection records” he notes. Traditional internet-based communications can be much easier for attackers to obscure.
The Volcano Demon group shows how Ransomware operators continue evolving their ransomware and extortion techniques stay ahead of defenses. Directly threatening organizations over the phone takes social engineering and intimidation to a new level.
Companies must now account for the increased preparation, response challenges and costs that phone-based Ransomware extortion poses going forwards. It remains critical for all organizations to have robust backups, incident response plans and insurance in place to manage this growing threat.
