A report released July 1 by cybersecurity startup Halcyon Tech Inc. is warning of a new ransomware group that frequently makes phone calls to pressure victims into paying up.

Dubbed “Volcano Demon,” the ransomware group has reportedly been active over the last two weeks of June and has already launched several attacks. Volcano Demon has been observed using a ransomware variant called LukaLocker, which encrypts victim files with a .nba extension.

Researchers at Halcyon have identified multiple attack tools being used by the ransomware group, including a Linux version of LukaLocker. The ransomware has successfully locked both Windows workstations and servers by exploiting common administrative credentials harvested from the network.

Volcano Demon has been identified as using a double-tap or double extortion method, where after gaining access to a victim’s computer or system, the ransomware operator not only steals files but also encrypts them. The ransomware group then demands payment both for a decryption key and a promise not to sell or publish the stolen data. The stolen data is used as leverage, with victims told that damage to the company’s reputation will be far worse with the publication of the stolen data.

Most of Volcano Demon’s ransomware activities sound like any new ransomware group coming onto the scene, but then things get interesting. Unlike its ransomware contemporaries, Volcano Demon doesn’t have a dark web leak site to coerce victims, but instead takes a more old-fashioned and direct approach: It repeatedly calls its victims.

In the two cases observed by Halcyon, those behind Volcan Demo used phone calls to leadership and information technology executives to extort them and negotiate payment. The calls were from unidentified caller ID numbers and are said to have been threatening in tone and expectations at times.

It’s unknown, so far, exactly how extensive Volcano Demon’s operations are; while Halcyon has only observed two cases from the group so far, there are likely other undocumented victims.

To mitigate against the risk of the Volcano Demon attack, Halcyon’s researchers note the importance of robust logging and monitoring solutions to detect and respond to ransomware attacks effectively.

Organizations should review their security posture to ensure that administrative credentials are securely managed and comprehensive backup and recovery strategies are in place to mitigate ransomware impacts. Maintaining up-to-date antivirus and endpoint protection services and regular system audits is also noted as being crucial for early detection and prevention of ransomware attacks.

Image: SiliconANGLE/GPT-4o