Ransomware Eruption: Novel Locker Malware Flows From ‘Volcano Demon

Attackers clear logs before exploitation and use no caller ID numbers to negotiate ransoms, complicating detection and forensics efforts.

A double-extortion
ransomware
player has exploded onto the scene with several attacks in two weeks, wielding innovative locker malware and a slew of evasion tactics for covering its tracks and making it difficult for security experts to investigate.
Tracked as Volcano Demon by the researchers at Halcyon who discovered it, the newly discovered adversary is characterized by never-before-seen locker malware, dubbed LukaLocker, that encrypts victim files with the .nba file extension, according to
a blog post
published this week.
The attackers evasion tactics include the installation of limited victim logging and monitoring solutions prior to exploitation and the use of threatening phone calls from No Caller ID numbers to extort or negotiate a ransom.
Logs were cleared prior to exploitation and in both cases, a full forensic evaluation was not possible due to their success in covering their tracks, the Halcyon Research Team wrote in the post. Volcano Demon also has no leak site for posting data it steals during its attacks, though it does use double extortion as a tactic, the team said.
In its attacks, Volcano Demon used common administrative credentials harvested from the networks of its victims to load a Linux version of LukaLocker, then successfully locked both Windows workstations and servers. Attackers also exfiltrated data from the network to its own command-and-control server (C2) prior to
ransomware deployment
so it could use double extortion.
A ransom note instructs victims to contact attackers through the qTox messaging software and then wait for technical support to call them back, making it difficult to track the communication between the parties, according to Halcyon.
Halycon researchers first discovered a sample of what it now calls LukaLocker on June 15, according to the post. The ransomware is an x64 PE binary written and compiled using C++, the team wrote. LukaLocker ransomware employs API obfuscation and dynamic API resolution to conceal its malicious functionalities — evading detection, analysis, and reverse engineering.
Upon execution, unless --sd-killer-off is specified, LukaLocker immediately terminates some security and monitoring services present on the network similar to and
possibly copied
from the prolific but now-defunct
Conti ransomware
, according to the post. These services include various antivirus and endpoint protection; backup and recovery tools; database software by Microsoft, IBM, and Oracle, among others; Microsoft Exchange Server; virtualization software; and remote access and monitoring tools. It also terminates other processes, including Web browsers, Microsoft Office, and cloud and remote access software, such as TeamViewer.
The locker uses the Chacha8 cipher for bulk data encryption, randomly generating the Chacha8 key and nonce through the Elliptic-curve Diffie-Hellman (ECDH) key agreement algorithm over Curve25519. Files can either be fully encrypted or at varying percentages, including 50%, 20%, or 10%.
Because of Volcano Demons extensive
evasion capabilities
, it was difficult for the Halcyon team to do a full forensic analysis of the attacks; moreover, the researchers did not reveal the type of organizations targeted by the threat actor. Halcyon did, however, manage to identify various indicators of compromise (IoC) of the attackers, some of which have been uploaded to Virus Total.
These IoCs include a Trojan, Protector.exe, and the Locker.exe encryptor. A Linux cryptor file called Linux locker/bin and command-line scripts that precede encryption, Reboot.bat, also are hallmarks of an attack by the novel ransomware actor.
With ransomware remaining a prevalent and disruptive threat to global organizations despite various law-enforcement crackdowns that have taken out leading
cybercriminal gangs
, vigiliance is required among those in charge of defending networks. Given that Volcano Demon uses administrative passwords to organizations networks as an initial means of exploitation, defense tactics such as multifactor authentication (MFA) and employee training to identify phishing campaigns that put credentials in attackers hands can help avoid compromise.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Ransomware Eruption: Novel Locker Malware Flows From ‘Volcano Demon