A new ransomware gang has been discovered that harasses its victims over the phone until they pay up.
A report from anti-ransomware firm Halycon claimed that Volcano Demon was seen attacking “several” targets in recent weeks, deploying a new cryptor called LukaLocker.
Their method is relatively simple: the threat actor will first find a way into the target network, map it, and then extract as many sensitive files as they can. They will then deploy the encryptor, lock down files and entire systems, and then demand payment in cryptocurrency in exchange for the decryption key and keeping the files.
There is no data leak site
LukaLocker will append encrypted files with the .nba file extension. It works on both Windows and Linux devices, it was said. The encryptor was also relatively good at hiding its traces. Since it erases logs before exploitation, cybersecurity researchers are unable to perform a full forensic assessment.
The limited logging and monitoring solutions they had installed did not help the victims either. Finally, LukaLocker can disable processes linked to the most popular antivirus and antimalware solutions.
While all of this is relatively similar to what other ransomware actors do, there is one key difference: Volcano Demon does not have a dedicated data leak site. Instead, it will phone the victim company's address to try to negotiate a payment. All calls come from unidentified caller ID numbers, and as researchers stress, they can be threatening in both tone and expectations.
