A newly identified ransomware group named “Volcano Demon” has shaken up the cybersecurity landscape with a bold departure from conventional tactics. Rather than relying on typical leak sites to exert pressure, Volcano Demon has opted for direct and intimidating phone calls aimed at executives within targeted organizations. This approach aims to bypass traditional cybersecurity defenses and leverage psychological tactics to coerce victims into paying ransoms quickly.
The group’s weapon of choice, “LukaLocker,” encrypts files with a .nba extension and utilizes sophisticated techniques like API obfuscation and dynamic API resolution. These methods are designed to evade detection by security tools and hinder forensic analysis efforts, making it challenging for cybersecurity teams to mitigate the impact once an attack has been launched.
Volcano Demon’s modus operandi involves gaining initial access through compromised administrative credentials within the victim’s network. Once inside, the ransomware not only encrypts sensitive data but also exfiltrates it to leverage in double extortion schemes. To cover their tracks and impede investigations, the group systematically clears logs and minimizes victim monitoring and logging capabilities, further complicating the recovery process for affected organizations.
What sets Volcano Demon apart is its direct engagement strategy with victim organizations. The group places phone calls to key executives using unidentified numbers, employing a menacing tone to intimidate and expedite ransom payments. Coupled with ransom notes threatening to expose sensitive corporate data to the public if demands are not met, these tactics heighten the urgency and pressure on targeted entities, amplifying the potential consequences of non-compliance. The emergence of Volcano Demon highlights the evolving sophistication of ransomware tactics and the critical need for organizations to bolster their cybersecurity defenses
Reference: