Volcano Demon

Volcano Demon, a recently identified threat actor, has been tracked by the researchers at Halcyon due to its unique use of locker malware known as LukaLocker. This adversary encrypts victims' files with a .nba file extension, a technique not previously seen in the cybersecurity landscape. The group primarily uses harvested administrative credentials from its victims' networks to gain access and deploy a Linux version of LukaLocker, which then locks both Windows workstations and servers. Interestingly, unlike many other similar groups, Volcano Demon does not maintain a leak site for posting stolen data. In its operations, Volcano Demon employs double extortion tactics, although it doesn't publicly disclose the stolen data. Over the past two weeks, this group has been implicated in several attacks, deploying their novel LukaLocker ransomware. The cybersecurity vendor Halcyon revealed that the group's success is largely due to the exploitation of common administrative credentials found within the victim's network. Once these are harvested, the group locks both Windows workstations and servers, demonstrating a high level of adaptability and effectiveness. Given the modus operandi of Volcano Demon, defensive measures such as multifactor authentication (MFA) and comprehensive employee training on phishing campaigns can help prevent compromises. Since the group relies heavily on exploiting administrative credentials, these measures could significantly reduce the risk of successful attacks. Furthermore, Halcyon highlighted that prior to any attack, Volcano Demon exfiltrates data to C2 services for double extortion techniques, suggesting that monitoring and securing data flow could also be an effective defense strategy.