Volcano Demon Ransomware Attack Detection: Adversaries Apply a New LukaLocker Malware Demanding Ransom via Phone Calls
Table of contents:
New ransomware maintainers have rapidly emerged in the cyber threat arena, employing innovative locker malware and a variety of detection evasion tactics. The ransomware gang dubbed “Volcano Demon” leverages novel LukaLocker malware and demands ransom payment via phone calls to IT executives and decision-makers.
Detect Volcano Demon Ransomware Attacks
Ransomware remains one of the top menaces for cyber defenders, with over 300 million attack attempts launched in 2023 and the average ransom payment surging 500% in the last year. New ransomware strains keep consistently emerging; therefore, cyber defenders require advanced threat detection and hunting tools to stay on top of potential threats.
Rely on SOC Prime’s Platform for collective defense to detect malicious activity associated with various ransomware gangs, including the novel Volcano Demon group targeting users with LukaLocker. Specifically, the rule by our experienced Threat Bounty developer Emir Erdogan helps to identify service stop and device restart activities of the Volcano Demon ransomware group with the help of commandline parameters.
Possible Volcano Demon Ransomware (LukaLocker) Suspicious Activity (via commandLine)
The rule above is compatible with 27 SIEM, EDR, and Data Lake Platforms and mapped to the MITRE ATT&CK® framework, addressing the Impact tactic, with Service Stop (T1489) as the main technique.
To dive deeper into the rule stack aimed at ransomware attack detection, hit the Explore Detections button below. All the algorithms are enriched with extensive metadata, including ATT&CK references, CTI links, attack timelines, triage recommendations, and other relevant details for streamlined threat investigation.
Eager to join SOC Prime’s crowdsourcing initiative? Skilled cybersecurity practitioners striving to enrich their Detection Engineering and Threat Hunting skills can join the ranks of our Threat Bounty Program to make their own contribution to collective industry expertise. Participation in the Program enables detection content authors to monetize their professional skills while helping build a safer digital future.
Volcano Demon Ransomware Group Attack Analysis
Halcyon researchers have recently detected new double-extortion ransomware operators, tracked as Volcano Demon, behind a series of attacks in the past two weeks. Adversaries take advantage of a Linux iteration of LukaLocker ransomware that encrypts targeted files with the .nba file extension. Volcano Demon also employs a set of adversary techniques to stay under the radar and hinder defensive measures. The LukaLocker ransomware used by adversaries is an x64 PE binary written and compiled in the C++ programming language. It leverages API obfuscation and dynamic API resolution to hide its offensive functions, making it difficult to detect, analyze, and reverse engineer.
Volcano Demon manages to lock both Windows workstations and servers by applying common admin credentials. Before the attack, adversaries exfiltrate data to C2 services for double extortion.
In the observed Volcano Demon attacks, ransomware operators clear logs before exploitation, hindering detection and forensics efforts. Notably, they don’t feature a leak site and take advantage of unidentified caller ID numbers to call victims and negotiate ransom payments. Based on the attack analysis, researchers have also uncovered a Linux-based iteration of LukaLocker.
With ransomware remaining a challenging and disruptive threat to global organizations, coupled with the increased sophistication of its offensive capabilties and advanced detection evasion methods, cyber vigilance is of top priority. SOC Prime’s platform for collective cyber defense based on global threat intelligence, crowdsourcing, zero trust, and AI-powered technologies is intended to help global organizations timely identify intrusions and continuously strengthen the organization’s cybersecurity posture.