New Threat Actor Volcano Demon Serves Up LukaLocker Ransomware


July 2, 2024

World map

Researchers at anti-ransomware solutions provider Halcyon recently identified a new ransomware operator dubbed Volcano Demon after analyzing multiple attacks over the past two weeks.

The group's LukaLocker ransomware payload has been observed encrypting victim files with the .nba file extension. A Linux version of LukaLocker was also discovered on one victim’s network.

Volcano Demon successfully locked both Windows workstations and servers by exploiting common administrative credentials obtained from the network. Before initiating the attack, they exfiltrated data to command-and-control (C2) services, employing double extortion tactics.

The attackers cleared logs prior to exploitation, making a comprehensive forensic evaluation nearly impossible due to their effective track-covering methods and the limited logging and monitoring solutions in place before the incident.

The threat actor does not appear to have a public leaks website, but instead uses phone calls to intimidate and negotiate payments with leadership at victim organizations. These calls originate from unidentified numbers and often carry a threatening tone.

The LukaLocker sample analyzed in this report was discovered on June 15, 2024. This ransomware is a 64-bit PE binary written and compiled in C++. LukaLocker employs API obfuscation and dynamic API resolution to hide its malicious functionalities, making detection, analysis, and reverse engineering difficult.

Upon execution, unless the parameter “--sd-killer-off” is specified, LukaLocker immediately terminates several security tools and services, similar to methods previously used by the Conti ransomware gang.  

The ransomware uses the Chacha8 cipher for bulk data encryption. The Chacha8 key and nonce are randomly generated, with the key derived through the Elliptic-curve Diffie–Hellman (ECDH) key agreement algorithm over Curve25519. The ransomware allows for full or partial encryption, with options to encrypt 100%, 50%, 20%, or 10% of the file data.

Ransomware operators continue to evolve, with several new threat actors recently emerging and targeting a diverse range of industries in recent weeks. In the months of April and May of 2024, four other notable ransomware groups surfaced, each demonstrating unique tactics, techniques, and procedures (TTPs).  

These include Arcus Media, APT73, dan0n, and Space Bears:

  • Arcus Media emerged in May 2024, quickly establishing itself as a significant threat. The group operates a Ransomware-as-a-Service (RaaS) model, enabling other threat actors to utilize their malware. Their unique approach to malware development, double extortion tactics, and aggressive targeting make them a notable adversary.  
  • APT73 was identified in late April 2024, appears to be a spin-off from the infamous LockBit group, exhibiting a calculated approach to ransomware with a focus on the business services sector. Notable victims include Brightway Consultants Ltd and Fortify Enterprise Inc., with the group responsible for 5 attacks targeting business services and software industries.  
  • Emerging in May 2024, dan0n is a newcomer with a notable operational tempo, distinguishing itself by focusing on data exfiltration rather than encryption. This strategic pivot in ransomware operations has allowed them to target significant firms such as The Blake Law Firm and Allen Blasting and Coating, Inc.  
  • Space Bears surfaced in April 2024, quickly gaining notoriety for their corporate-themed data leak site and strategic affiliations. Aligned with the Phobos ransomware-as-a-service group, they stand out due to their distinctive approach, notably using double extortion tactics to maximize pressure on their victims.  

The emergence of new ransomware operators like Volcano Demon, Arcus Media, APT73, dan0n, and Space Bears underscores the evolving nature of ransomware threats, and insights based on observations suggest that these groups may be more organized and funded than previously anticipated. is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.