Volcano Demon Ransomware Group Uses Phone Calls for Direct Extortion

Introduction

A newly identified ransomware group, "Volcano Demon," has emerged, targeting executives directly with threatening phone calls instead of the typical data leak sites. Over the past two weeks, this group has carried out several attacks, deploying a unique ransomware variant known as “LukaLocker,” according to a report from Halcyon.

LukaLocker Ransomware Attack Overview

Volcano Demon’s ransomware, LukaLocker, encrypts files with a .nba extension. The group has meticulously crafted the ransomware to evade detection and analysis. Written and compiled using C++, LukaLocker employs API obfuscation and dynamic API resolution to hide its malicious functionalities, making it difficult for security tools to detect and analyze.

Upon execution, LukaLocker terminates various services and processes, including backup systems, endpoint detection, antivirus software, system monitoring, and remote access tools. The group successfully locks both Windows workstations and servers using administrative credentials harvested from the network. Before the attack, they exfiltrate data to command-and-control (C2) services for double extortion.

Volcano Demon’s Unique Extortion Tactics

What sets Volcano Demon apart is their unconventional approach to extortion. Instead of using data leak sites, they pressure executives directly via phone calls. These calls come from unidentified numbers and are often threatening in tone. The group’s ransom note is equally menacing, warning that if the ransom is not paid, they will publicize confidential data, inform clients and partners, and sell data to scammers who will further exploit the information.

Challenges in Incident Response

Adam Pilton, a senior cybersecurity consultant at CyberSmart, noted that phone-based extortion adds complexity to incident response efforts. The unpredictability of calls from unknown numbers requires businesses to have negotiators ready at all times, increasing the cost and complexity of response strategies. However, Pilton also pointed out that this method might provide new leads for law enforcement, as voice data and call connection records can offer valuable clues.

Enhanced Security Measures

The emergence of groups like Volcano Demon underscores the importance of robust cybersecurity measures. Implementing stolen credentials detection, darknet monitoring services, and dark web surveillance can help organizations protect sensitive information. Utilizing compromised data tracking, digital footprint analysis, and brand protection strategies are essential for mitigating these risks. Additionally, brand impersonation defense, online risk evaluation, and digital threat scoring are critical components of a comprehensive cybersecurity strategy.

Conclusion

Volcano Demon’s new approach to ransomware attacks highlights the evolving tactics of cybercriminals. By staying informed about emerging threats and implementing proactive security measures, organizations can better defend against these sophisticated attacks and protect their sensitive data.

About Foresiet!

Foresiet is the pioneering force in digital security solutions, offering the first integrated Digital Risk Protection SaaS platform. With 24x7x365 dark web monitoring and proactive threat intelligence, Foresiet safeguards against data breaches and intellectual property theft. Our robust suite includes brand protection, takedown services, and supply chain assessment, enhancing your organization's defense mechanisms. Attack surface management is a key component of our approach, ensuring comprehensive protection across all vulnerable points. Compliance is assured through adherence to ISO27001, NIST, GDPR, PCI, SOX, HIPAA, SAMA, CITC, and Third Party regulations. Additionally, our advanced antiphishing shield provides unparalleled protection against malicious emails. Trust Foresiet to empower your organization to navigate the digital landscape securely and confidently.