Security research firm Halcyon recently reported that it “encountered” a new ransomware organization dubbed Volcano Demon several times in the past few weeks.
According to its report, Volcano Demon uses the encryptor LukaLocker with a .nba file extension. Halcyon provided an encryptor sample in its post.
Although Volcano Demon uses traditional methods of extortion, including encryption, exfiltration, and double extortion techniques, Halcyon noted that “logs were cleared prior to exploitation and…a full forensic evaluation was not possible due to their success in covering their tracks and limited victim logging and monitoring solutions installed prior to the event.”
Further, and very concerning to this writer, is that Volcano Demon doesn’t establish a leak site or negotiate under what we sickeningly call “normal” communication methods. No, Volcano Demon doesn’t email or use the Onion or Tor platforms; Volcano Demon calls the victim. This means they are calling random people in the organization (people who are probably not part of the incident response team) and threatening and scaring them with angry phone calls. During an incident, it is crucial to try to control communication with the threat actor and the organization, and professionals are hired to assist. This goes out the window when the threat actor starts calling random people in the organization who are unprepared and vulnerable. Needless to say, I don’t need to detail the risks and concerns with this new technique.
Once one threat actor finds a successful technique, others will copy it, so I predict that this will not be the last time we see this technique used. It is important to highlight this new technique when you are conducting tabletop exercises, to determine steps you will take to respond and mitigate, and when rolling out wider cybersecurity training to the organization. Your people need to know what to do if they get called by a threat actor. They need to know who to contact and exactly what to do. They can’t be left to figure it out on their own. I am now incorporating this into all training sessions to at least try to give employees a heads up and provide tips to keep their heads cool during stressful situations.