Security research firm Halcyon recently reported that it “encountered” a new ransomware organization dubbed Volcano Demon several times in the past few weeks.

According to its report, Volcano Demon uses the encryptor LukaLocker with a .nba file extension. Halcyon provided an encryptor sample in its post.

Although Volcano Demon uses traditional methods of extortion, including encryption, exfiltration, and double extortion techniques, Halcyon noted that “logs were cleared prior to exploitation and…a full forensic evaluation was not possible due to their success in covering their tracks and limited victim logging and monitoring solutions installed prior to the event.”

Further, and very concerning to this writer, is that Volcano Demon doesn’t establish a leak site or negotiate under what we sickeningly call “normal” communication methods. No, Volcano Demon doesn’t email or use the Onion or Tor platforms; Volcano Demon calls the victim. This means they are calling random people in the organization (people who are probably not part of the incident response team) and threatening and scaring them with angry phone calls. During an incident, it is crucial to try to control communication with the threat actor and the organization, and professionals are hired to assist. This goes out the window when the threat actor starts calling random people in the organization who are unprepared and vulnerable. Needless to say, I don’t need to detail the risks and concerns with this new technique.

Once one threat actor finds a successful technique, others will copy it, so I predict that this will not be the last time we see this technique used. It is important to highlight this new technique when you are conducting tabletop exercises, to determine steps you will take to respond and mitigate, and when rolling out wider cybersecurity training to the organization. Your people need to know what to do if they get called by a threat actor. They need to know who to contact and exactly what to do. They can’t be left to figure it out on their own. I am now incorporating this into all training sessions to at least try to give employees a heads up and provide tips to keep their heads cool during stressful situations.

Photo of Linn Foster Freedman Linn Foster Freedman

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She is a member of the Business Litigation Group and the Financial Services Cyber-Compliance Team, and chairs the firm’s Data Privacy and Security and Artificial Intelligence Teams. Linn focuses her…

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She is a member of the Business Litigation Group and the Financial Services Cyber-Compliance Team, and chairs the firm’s Data Privacy and Security and Artificial Intelligence Teams. Linn focuses her practice on compliance with all state and federal privacy and security laws and regulations. She counsels a range of public and private clients from industries such as construction, education, health care, insurance, manufacturing, real estate, utilities and critical infrastructure, marine and charitable organizations, on state and federal data privacy and security investigations, as well as emergency data breach response and mitigation. Linn is an Adjunct Professor of the Practice of Cybersecurity at Brown University and an Adjunct Professor of Law at Roger Williams University School of Law.  Prior to joining the firm, Linn served as assistant attorney general and deputy chief of the Civil Division of the Attorney General’s Office for the State of Rhode Island. She earned her J.D. from Loyola University School of Law and her B.A., with honors, in American Studies from Newcomb College of Tulane University. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.