Full Report
Every month, we bring you some of the key findings from Outpost24’s Threat Intelligence team, KrakenLabs. Here’s what you need to know from July. Threat actor of the month: Volcano demon – Ransomware group “Volcano demon” is a new ransomware group that follows the double-extortion trend and introduces a traditional yet innovative way of extorting […] The post Threat Context monthly: Executive intelligence briefing for July 2024 appeared first on Outpost24.
Analysis Summary
# Threat Actor: Volcano demon
## Attribution & Identity
Volcano demon is identified as a new ransomware group operationalized in July.
Associated groups: None explicitly named, operates independently as a ransomware entity.
## Activity Summary
Volcano demon is engaged in a double-extortion ransomware campaign. They compromise victims, encrypt data, and then attempt negotiation. A key distinguishing characteristic is their tactic of making direct phone calls to leadership and IT executives using unidentified caller-ID numbers to push for ransom payment. They also exfiltrate data and threaten public release, although they currently lack a known public Data Leak Site (DLS).
## Tactics, Techniques & Procedures
- **Initial Access:** Compromise victim environments via harvested administrative credentials.
- **Encryption:** Utilize LukaLocker ransomware for encryption.
- **Extortion:** Implements double extortion (encryption and data exfiltration/leak threat).
- **Negotiation:** Makes direct phone calls to executives to facilitate ransom negotiation.
- **File Marking:** Adds the `.nba` file extension to encrypted files.
- **Ransom Note Dropping:** Places a ransom note on compromised devices.
- **TTPs Mentioned (General):** Double-extortion trend.
## Targeting
- Sectors: Manufacturing and Logistics companies.
- Geography: Not specified in the article, only the victims' sectors.
- Victims: At least two successful attacks reported across the manufacturing and logistics sectors.
## Tools & Infrastructure
- Malware families used: LukaLocker (a C++ ransomware targeting both Windows and Linux servers).
- Infrastructure (C2, domains, IPs): Not detailed in the summary; negotiation happens via unidentified phone contacts.
## Implications
Volcano demon presents an elevated risk due to its combination of modern tactics (double extortion) and a distinctive, aggressive communication strategy (direct phone calls to executive leadership). The absence of a known DLS complicates incident response and confirmation of data exfiltration for victims. Their use of LukaLocker suggests a capability against both Windows and Linux environments.
## Mitigations
- **Credential Hygiene:** Strengthen policies around harvesting and use of administrative credentials for network access.
- **Executive Communication Verification:** Implement strict verification protocols for unexpected calls regarding sensitive security incidents, potentially involving third-party verification lines.
- **Endpoint Protection:** Deploy defenses capable of detecting and blocking LukaLocker execution/behavior on both Windows and Linux servers.