LukaLocker Ransomware

A new ransomware actor employing double-extortion tactics has emerged with a series of attacks within a short period. This entity introduces an innovative locker malware dubbed the LukaLocker Ransomware, equipped with various evasion techniques to obfuscate its operations and hinder forensic investigations. Identified by researchers as the 'Volcano Demon,' a cybercriminal group has garnered attention for its novel use of the LukaLocker, which was a previously unseen locker malware. The files encrypted by this threat are appended with the '.nba' extension.

Tactics Observed in the Volcano Demon Attacks

The attackers employ sophisticated evasion methods, such as deploying minimal victim logging and monitoring solutions before initiating attacks. Additionally, they utilize 'threatening' phone calls from 'No Caller ID' numbers to coerce victims into paying ransom or negotiating terms.

Prior to exploitation, logs are systematically cleared, impeding comprehensive forensic analysis in detected incidents. The group known as the Volcano Demon, refrains from maintaining a leak site despite employing double extortion tactics during its operations.

During their assaults, the Volcano Demon utilizes compromised administrative credentials obtained from victim networks to introduce a Linux variant of LukaLocker. This malware effectively encrypts both Windows workstations and servers. Before deploying ransomware, the attackers exfiltrate data to their Command-and-Control server (C2), enhancing their leverage in double extortion scenarios.

Victims are instructed to communicate via qTox messaging software and await callbacks for technical support, complicating efforts to trace communications between the attackers and victims.

The LukaLocker Ransomware Terminates Security Software and Locks Data

The LukaLocker Ransomware was discovered in June 2024 as an x64 PE binary developed in C++. According to researchers, it employs API obfuscation and dynamic API resolution to obscure its hurtful operations, evading detection, analysis and reverse engineering. The ransomware uses the Chacha8 cipher for encrypting data in bulk. It generates a random Chacha8 key and nonce using the Elliptic-curve Diffie-Hellman (ECDH) key agreement algorithm over Curve25519. Files can be encrypted entirely or at different percentages, such as 50%, 20%, or 10%.

Upon execution, unless '--sd-killer-off' is specified, LukaLocker promptly terminates several critical security and monitoring services across the network. These include anti-malware and endpoint protection tools, backup and recovery solutions, database software from Microsoft, IBM, and Oracle, Microsoft Exchange Server, virtualization software and remote access and monitoring tools. It also terminates processes related to Web browsers, Microsoft Office, and various cloud and remote access applications.

How to Better Protect Your Data and Devices from Ransomware Threats?

To better protect your data and devices from ransomware and malware threats, consider implementing the following practices:

• KeeYour Applications Updated: Regularly update your operating system, applications, and security software to patch vulnerabilities that could be exploited by malware.
• Use Strong, Unique Passwords: Employ complex passwords and change them frequently. Consider finding a password manager to keep track of them securely.
• Enable Multi-Factor Authentication (MFA): Add an extra layer of security by enabling MFA on accounts that support it, making it harder for attackers to gain unauthorized access.
• Backup Data Regularly: Create and maintain regular backups of important files. Store backups in a separate location, either offline or in the cloud, to guarantee their safety even if your main system is compromised.
• Be Prudent with Emails and Links: Avoid opening attachments or following links from unknown or suspicious sources. Verify the sender's identity before interacting with unexpected emails.
• Install and Maintain Security Software: Use reputable anti-malware software and keep it updated. Enable real-time protection and run regular scans.
• Secure Your Network: Use a strong, unique Wi-Fi password and enable WPA3 encryption. Consider establishing a guest network for visitors to keep your primary network secure.
• Disable Macros in Office Documents: Disable macros in Microsoft Office documents unless you specifically need them. Macros are a common method for spreading malware.
• Educate Yourself and Others: Stay informed about the latest cybersecurity threats and best practices. Educate family members or colleagues about phishing tactics and safe online behavior.
• Use Firewalls: Enable firewalls on your devices and network to block unauthorized access and monitor incoming and outgoing traffic for suspicious activity.

By combining these strategies, the risk of falling victim to ransomware and other malware threats can be reduced drastically.