HQ/EMEAFind out how we can help your business
A newly discovered spam campaign has been spreading the Knight ransomware payload stored in a file that mimics fake TripAdvisor complaints. Based on reports, the ransomware is an alleged new version of the now-defunct Cyclops ransomware last May. Moreover, the ransomware operators have no victims listed on its website.
Researchers explained that the new Knight campaign uses an HTML attachment dubbed TripAdvisor-Complaint-[random].PDF.htm that redirects visitors to a fake browser window of TripAdvisor.
The malicious window browser professes to be complaints submitted to a restaurant while asking the users to do a review.
Next, the website will download an Excel file named ‘TripAdvisor_Complaint-Possible-Suspension.xll’ once the user clicks the ‘Read Complaint’ button. This instance further causes the execution of the ransomware.
Experts claimed that the Knight ransomware is a revamp of Cyclops.
According to investigations, the Knight ransomware first appeared last month after its operators revamped the panel and program of Cyclops.
The researchers also observed the group’s program of recruiting affiliates on its RAMP hacking forum to upgrade its data-stealing capability against Linux Windows systems. Additionally, the ransomware operators offer a lite version that other actors could use in spam, batch distribution, and pray-and-spray campaigns.
For its ransom demands, the threat actors inject the Knight Lite ransomware encryptor into a new explorer.exe process to encrypt the files on targeted devices. Next, the encryption process appends the [.]knigh_1 extension to the encrypted files’ names. Experts believe the ‘1’ in the encryption name stands for lite.
Lastly, the ransomware generates a note in each folder on the computer, which contains a demanding statement for a ransom that the victims should send to a specific Bitcoin address. The researchers said that the ransom demand is about $5,000.
Cybersecurity experts explained that ransomware rebranding is a typical tactic among cybercriminals that seek ways to stretch their attack scope while staying lowkey with their campaigns.
The tactic employed by the ransomware operators remained prevalent across the cybercriminal landscape. Therefore, users should follow the mitigation programs launched by CISA to identify and mitigate the vulnerabilities exploited by ransomware attackers.
