Ransomware Eruption Novel Locker Malware Flows From ‘Volcano Demon'

03-July-24

A new double-extortion ransomware group, “Volcano Demon,” has rapidly emerged, launching multiple attacks using innovative locker malware called LukaLocker, which encrypts files with the .nba extension. Discovered by Halcyon researchers, the group employs advanced evasion tactics such as limited logging and threatening phone calls to victims. They use stolen administrative credentials to deploy a Linux version of LukaLocker on Windows systems, exfiltrating data before encryption. Communication with victims is conducted via the qTox messaging software, complicating tracking efforts. LukaLocker terminates numerous security and monitoring services, uses the Chacha8 cipher for encryption, and has extensive evasion capabilities, making full forensic analysis challenging. Indicators of compromise include specific executables and scripts, highlighting the need for multifactor authentication and employee training to mitigate such threats.

Read More…