Volcano Demon Group Targets Idealease Inc. Using LukaLocker Ransomware
Overview
The SonicWall Capture Labs threats research team has recently been tracking new ransomware known as LukaLocker. This malware has been seen in the wild over the last few weeks and is being distributed by the Volcano Demon group. A conversation with the operator reveals that the malware is targeted at Idealease Inc., a truck leasing company. Communication with the operator is via qTox.
Infection Cycle
The malware is in the form of a x64 binary, written in C++. Upon running the malware, a command prompt window appears and shows a list of processes that the malware attempts to kill:
Figure 1: Process killing stage
After this process is complete, it encrypts files on the system and appends “.NBA” to their filenames.
It writes readme.txt to the desktop. This text file contains the following message, with a touch of leet speak:
Figure 2: Ransom note
Decompiling the binary reveals a large list of targeted processes to kill:
Figure 3: List of processes to kill in decompiled code
Various security, monitoring and backup services are targeted. This includes antivirus software such as Malware Bytes, Sophos, McAfee and Trend Micro. If any of these are present on the system, the service is disabled by the malware.
Figure 4: List of security and backup services to stop
The ransom message states that the qTox encrypted chat client must be used to communicate with the operator in order to retrieve files. qTox is an Instant messaging client aimed at evading government monitoring.
We had the following conversation with the operator. However, this variant of the malware is targeted at a specific company called Idealease Inc. Help is only provided to someone in senior management at that company:
Figure 5: Conversation with operator
SonicWall Capture Labs provides protection against this threat via the following signature:
- GAV: LukaLocker.RSM(Trojan)
This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.
