Volcano Demon Group Targets Idealease Inc. Using LukaLocker Ransomware

By

Overview

The SonicWall Capture Labs threats research team has recently been tracking new ransomware known as LukaLocker.  This malware has been seen in the wild over the last few weeks and is being distributed by the Volcano Demon group.  A conversation with the operator reveals that the malware is targeted at Idealease Inc., a truck leasing company.  Communication with the operator is via qTox.

Infection Cycle

The malware is in the form of a x64 binary, written in C++.  Upon running the malware, a command prompt window appears and shows a list of processes that the malware attempts to kill:

Figure 1: Process killing stage

After this process is complete, it encrypts files on the system and appends “.NBA” to their filenames.

It writes readme.txt to the desktop.  This text file contains the following message, with a touch of leet speak:

Figure 2: Ransom note

Decompiling the binary reveals a large list of targeted processes to kill:

Figure 3: List of processes to kill in decompiled code

Various security, monitoring and backup services are targeted.  This includes antivirus software such as Malware Bytes, Sophos, McAfee and Trend Micro.  If any of these are present on the system, the service is disabled by the malware.

Figure 4: List of security and backup services to stop

The ransom message states that the qTox encrypted chat client must be used to communicate with the operator in order to retrieve files.  qTox is an Instant messaging client aimed at evading government monitoring.

We had the following conversation with the operator.  However, this variant of the malware is targeted at a specific company called Idealease Inc.  Help is only provided to someone in senior management at that company:

Figure 5: Conversation with operator

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: LukaLocker.RSM(Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.