A new ransomware collective by the name of Volcano Demon executed two successful cyber attacks in the past two weeks, and researchers have noted its novel tactics to ensure their victims pay up.
The group was observed calling the victims, sometimes daily, to pressure them into paying the ransom, a far less common extortion method rarely seen utilized by other operators.
Researchers at security firm Halcyon published a report on 1 July claiming to have discovered the new ransomware collective, detailing the tactics, techniques, and procedures (TTPs) used by the group in their early activities.
The analysis centered around a sample of the encryptor being deployed by the group, LukaLocker, which was observed encrypting victim files with the .nba file extension. The researchers also found a Linux version of LukaLocker on the victim’s network.
Using administrative credentials harvested from the network, Volcano Demon were able to lock both Windows workstations and servers, exfiltrating data prior to the attack to a C2 server, presumably for double extortion purposes.
The collective appear to be well-versed in stealth tactics, according to Halcyon, noting the team was unable to carry out a full forensic evaluation of the attack chain due to their proficiency in clearing victim logs and covering their tracks.
Ransomware extortion over the phone
Halcyon highlighted the fact that in both attacks the group appeared to forego using a dedicated leak site, like many of their more well-established counterparts, instead opting to call their victims to try and extract the ransom.
“During both cases, the threat actor features no leak site and uses phone calls to leadership and IT executives to extort and negotiate payment. Calls are from unidentified caller-ID numbers and can be threatening in tone and expectations, Halcyon researchers said.
Adam Pilton, senior cybersecurity consultant at CyberSmart, commented this approach is an interesting one that makes the ransom negotiations, an increasingly frequent process, a lot more complicated.
"This is an interesting development in ransomware attacks, the idea of using a telephone call and actually speaking to the attacker makes the response from the victim so much more complicated,” he commented.
Ransom negotiators will have to adapt to this medium, Pilton added, which is relatively novel for cyber crime. Similarly, the fact that the attackers could call the victim at any time places additional strain on the victim, who will need to ensure they have a negotiator available at the drop of a hat.
“Negotiators have become familiar with the process of responding via the written word and the fact that they can carefully construct their response taking the time they need to do so, responding to each development to suit the speed and shape the narrative they want to use,” he explained.
“However, with a telephone call coming from an unknown number at an unknown time into the business, the number of variables increases meaning you may need a negotiator on hand and available at all times then possible even in the office or warehouse the call comes into. This increases the cost of the negotiator service. It also means that the negotiator has to be prepared for all eventualities.”
This, of course, Pilton warned, is if the organization can even afford to hire a negotiator, noting that many organizations will be forced to talk to the attackers themselves.
“But that is all assuming that you are going to have a negotiator most people won't have that luxury and this means that individuals will be speaking directly to attackers and may universally give further information away, whether that be information about their networks or simply there emotional state and the their current position in terms of making a payment or not.”
Calling victims could give law enforcement a leg up in the information arms race
Pilton pointed out a minor silver lining to this development in that phone calls are more difficult to mask than IP addresses, and this approach will give law enforcement more to work with in terms of identifying and catching the culprits.
“There is also the additional element of investigative lines of inquiry for law enforcement. Traditionally IP addresses are very simple to hide behind and although telephone data can be obscured the information the attacker gives away is potentially so much more, as there will be voice data and potential background noise, as well as the call connection records,” he said.
“I'm intrigued to see how this develops and whether ransomware groups using phone calls will be the new phase of ransomware, if so this will certainly impact insurers as well as though on the ground defending against such attacks."
