What’s happening?
Security researchers have warned that a new ransomware group has taken an unusual twist on the traditional method of extorting money from its corporate victims.
So what’s different this time?
Whereas many ransomware attacks see a company’s company’s data exfiltrated by attackers, and the threat made that stolen data will be sold to other cybercriminals or released to the public, the Volcano Demon gang…
Sorry, excuse me? Volcano Demon?
Yes, that’s the name of the ransomware gang. Can I continue?
Sure. Go ahead. What are they doing?
As I was saying… the Volcano Demon group doesn’t appear to bother going to the effort of creating a site on the dark web to publish leaked data. Instead, it conducts its negotiations with its victims via the phone.
Wow. So could I actually end up speaking to the attackers if I worked at a company that was struck by a ransomware attack?
Yes, and it’s much more likely that a member of staff outside your cybersecurity team finds themselves in the prickly position of acting as a negotiator, unlike a demand that arrives via an email or a ransom note dropped by the cybercriminals on your compromised network.
Why would a ransomware gang even do this?
I hear you. As ransom negotiation techniques go, it sounds positively old-school to have a conversation over the phone. You might expect someone extorting a ransom back in the 1970s to make their demands on a telephone call, but not so much in the digital age where technology can help hide a villain’s true identity and location.
Security researchers at Halcyon, which has reported seeing at least two successful attacks perpetrated by Volcano Demon in the last week, say that the calls can be threatening in nature and come from unidentified caller-ID numbers.
So the company’s data is encrypted by the ransomware?
Yes, the Volcano Demon ransomware group encrypts files on your company network with LukaLocker, changing file extensions to .nba.
So they want money for a decryption key. But do they also steal the data?
I’m afraid so. Prior to data being encrypted in the attack, it is exfiltrated out of organisations. This means that companies can be threatened with the distribution of their data if they refuse to pay up.
How does a ransomware gang phoning you up change things?
It’s easy to imagine how a phone call can be more intimidating than an email message. Media reports indicate that the calls demanding the ransom can be “frequent” and that the attackers have a “heavy accent.” At this stage, it has not been possible to locate their country of origin.
In a traditional ransomware situation, it’s usually fairly straightforward for the victim to decide who will engage with the attackers and potentially negotiate how much of a ransom to pay. However, a phone call from an attacker could occur at any time of day or night and might be to any of many possible telephone numbers inside your organisation.
Employees who are working outside of the cybersecurity team may unexpectedly find themselves speaking to an attacker. Handling conversations of this type is tricky enough for any business; some will even bring in professional negotiators. But when it can be anyone on the payroll who receives the call from the extortionist, it’s much harder to control.
So, you said the phone calls can be intimidating and threatening?
Yes. The cybercriminals will have no qualms about making threats to secure their payday. And the ransom note left by the attackers doesn’t beat around the bush either:
“Your corporate network has been encrypted. And that’s not all – we studied and downloaded a lot of your data.” “If you ignore this incident, we will ensure that your confidential data is widely available to the public. We will make sure that your clients and partners know about everything, and attacks will continue. Some of the data will be sold to scammers who will attack your clients and employees.”
But won’t the authorities be able to find out where the phone call has come from?
Although the calls have so far come from unidentified caller-ID numbers, there is hope that the attackers’ use of phone calls rather than taking advantage of the dark web’s anonymity will ultimately work to the police’s advantage.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of Tripwire.