Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Matrix Botnet

Volcano Demon – Threat Actor

January 28, 2025
Reading Time: 3 mins read
in Ransomware Group, Threat Actors
Volcano Demon – Threat Actor

Volcano Demon

Date of Initial Activity

2024

Location

Unknown

Suspected Attribution 

Ransomware Group

Associated Tools

LukaLocker Malware

Motivation

Financial Gain

Software

Servers

Overview

In the ever-evolving landscape of cyber threats, a new player has emerged: the Volcano Demon threat actor. Identified by researchers at Halcyon, a provider of anti-ransomware solutions, Volcano Demon is notable for deploying the LukaLocker ransomware, which has rapidly gained notoriety for its sophisticated attack methods and targeted operations. Since its initial detection, this group has successfully compromised various organizations by exploiting administrative credentials, leading to severe disruptions in IT systems and data breaches. Volcano Demon employs a unique approach to its ransomware operations, utilizing double extortion tactics that not only encrypt victim files but also exfiltrate sensitive data before initiating the attack. This two-pronged strategy places immense pressure on victims, forcing them into a precarious position of compliance in order to regain access to their critical information. The group’s operational techniques include the strategic clearing of logs, rendering forensic investigations nearly impossible and complicating recovery efforts for affected organizations.

Common Targets 

Information

Attack vectors

Phishing

How they work

At the core of Volcano Demon’s strategy is the use of the LukaLocker ransomware, which has been observed encrypting files with the .nba extension. This sophisticated payload is a 64-bit PE binary written in C++, utilizing API obfuscation and dynamic API resolution to conceal its malicious functionalities. By employing these techniques, the ransomware significantly complicates detection, analysis, and reverse engineering efforts, making it difficult for traditional security solutions to identify and mitigate the threat effectively. Once deployed, LukaLocker exhibits a particularly aggressive approach to maintaining its foothold within a compromised network. Before executing the ransomware, Volcano Demon typically exfiltrates sensitive data to command-and-control (C2) services. This step not only facilitates double extortion tactics—where victims are pressured into paying a ransom for both the decryption of their files and the non-disclosure of stolen data—but also enables the attackers to gather intelligence on the target organization. By obtaining detailed insights into the victim’s environment, the group can tailor its attacks for maximum impact. Another technical hallmark of Volcano Demon’s operations is their exploitation of administrative credentials, which allows them to successfully lock both Windows workstations and servers. These credentials are often harvested through various means, including phishing attacks or exploiting unpatched vulnerabilities. Once inside the network, the attackers can navigate laterally to identify critical systems, furthering their reach and amplifying the damage inflicted on the organization. Upon execution of the ransomware, LukaLocker automatically terminates several security tools and services unless specified otherwise through the parameter “–sd-killer-off.” This tactic mirrors the methodologies employed by notorious ransomware gangs like Conti and highlights Volcano Demon’s intent to disable any defenses that might impede their encryption efforts. When it comes to encryption, LukaLocker utilizes the ChaCha8 cipher, which is known for its efficiency and security. The ransomware generates random keys and nonces, with the key derived using the Elliptic-curve Diffie–Hellman (ECDH) key agreement algorithm over Curve25519. This cryptographic approach allows for either full or partial encryption of files, providing options for victims that range from encrypting 100% to as little as 10% of file data. This flexibility not only complicates decryption efforts for victims but also increases the pressure to comply with the ransom demands. The operational methods of Volcano Demon illustrate a calculated and sophisticated approach to ransomware deployment, significantly raising the stakes for organizations unprepared for such threats. As cybercriminals continue to refine their tactics and leverage advanced technologies, it becomes increasingly essential for businesses to adopt robust cybersecurity measures, including comprehensive monitoring, rapid incident response protocols, and employee training on recognizing phishing attempts. The technical prowess displayed by Volcano Demon underscores the urgent need for heightened vigilance in defending against evolving ransomware threats.  
References:
  • New Threat Actor Volcano Demon Serves Up LukaLocker Ransomware
Tags: Cyber threatsHalcyonLinuxLukaLockerPhishingRansomwareThreat ActorsVolcano DemonWindows
ADVERTISEMENT

Related Posts

Storm-1811 (Cybercriminal) – Threat Actor

Storm-1811 (Cybercriminal) – Threat Actor

March 2, 2025
CopyCop (State-Sponsored) – Threat Actor

CopyCop (State-Sponsored) – Threat Actor

March 2, 2025
Storm-0539 – Threat Actor

Storm-0539 – Threat Actor

March 2, 2025
Void Manticore (Storm-0842) – Threat Actor

Void Manticore (Storm-0842) – Threat Actor

March 2, 2025
Unfading Sea Haze – Threat Actor

Unfading Sea Haze – Threat Actor

March 2, 2025
Ikaruz Red Team – Threat Actor

Ikaruz Red Team – Threat Actor

March 2, 2025

Latest Alerts

New ZeroCrumb Malware Steals Browser Cookies

TikTok Videos Spread Vidar StealC Malware

CISA Commvault ZeroDay Flaw Risks Secrets

GitLab Patch Stops Service Disruption Risks

3AM Ransomware Email Bomb and Vishing Threat

Function Confusion Hits Serverless Clouds

Subscribe to our newsletter

    Latest Incidents

    Cetus Crypto Exchange Hacked For $223M

    MCP Data Breach Hits 235K NC Lab Patients

    UFCW Data Breach Risks Social Security Data

    Cyberattack Paralyzes French Hauts de Seine

    Santa Fe City Loses $324K In Hacker Scam

    Belgium Housing Hit by Ransomware Attack

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial