Ransomware attacks: warning over 'Volcano Demon' scam where victims are harassed with 'threatening' calls

Watch more of our videos on Shots! 
and live on Freeview channel 276
Visit Shots! now
What a terrifying experience 😨
  • Ransomware attack is seeing people ‘threatened’ by phone call. 
  • Scammers are demanding money to unlock computers. 
  • It is a change in tactic compared to traditional ransomware attacks. 
  • Victims urged not to pay up by the National Cyber Security Centre. 

A new scam is seeing ransomware victims being bombarded with threatening calls until they agree to pay up.

It comes as Brits were warned about the dangers of quishing - in which fake QR codes are used to steal personal information. 

Hide Ad
Hide Ad

Halcyon, an anti-ransomware company, reports having spotted a group called Volcano Demon using the new tactic to go after “several” targets in recent weeks. It is a change in the usual ransomware attack strategy, which involves setting up a leak site where data stolen can be uploaded. 

It is claimed that instead “Volcano Demon” are going straight to the top and ringing executives, harassing them to pay up. The calls will come from a number that has “no caller ID”. 

According to Halcyon the group has also used a new ransomware variant dubbed “LukaLocker”. The company reports that there have been several attacks using the tactic in the last fortnight. 

What is a ransomware attack? 

You might have heard the term ransomware while watching the news or flicking through the internet and social media. But what exactly does it mean - and how dangerous is it? 

Hide Ad
Hide Ad

The National Cyber Security Centre explains that it is a type of malware, a program designed to disrupt, damage, or gain unauthorised access to a computer system, which prevents you from accessing your device and the data stored on it. It will do this by encrypting your files. 

Typically the group behind the ransomware will then demand a ransom in exchange for decryption. The NCSC adds: “The computer itself may become locked, or the data on it might be encrypted, stolen or deleted. The attackers may also threaten to leak the data they steal.” 

A ransomware attack may come in the form of an innocuous looking email, but it will come with a malicious link. After clicking the link, the malware will then download onto your computer and do its thing. 

A_B_C - stock.adobe.com

How do Volcano Demon attacks work? 

Halcyon explains that the group is using an encryptor called “LukaLocker” as part of its attacks. It will encrypt the victim’s files with the .nba file extension. The tool appears to be a reference to NBA star Luka Doncic, other groups use similar cultural references such as the ‘Shiny Hunters’ - a reference to Pokemon.

Hide Ad
Hide Ad

It appears that the attack works on both Windows and Linux devices. On its website, Halcyon explains: “Volcano Demon was successful in locking both Windows workstations and servers after utilising common administrative credentials harvested from the network. Prior to the attack, data was exfiltrated to C2 services for double extortion techniques.  

“Logs were cleared prior to exploitation and in both cases, a full forensic evaluation was not possible due to their success in covering their tracks and limited victim logging and monitoring solutions installed prior to the event.”

However, unlike the usual ransomware attack tactic of setting up a leak site on the dark web, Volcano Demon instead uses phone calls to leadership and IT executives to extort and negotiate payment. Calls are from unidentified caller-ID numbers and can be threatening in tone and expectations. 

Should you pay up in a ransomware attack? 

On the NCSC’s website it states that law enforcement “does not encourage, endorse nor condone the payment of ransom demands”. It adds that if you do pay a ransom: 

Hide Ad
Hide Ad
  • there is no guarantee that you will get access to your data or computer
  • your computer will still be infected
  • you will be paying criminal groups
  • you're more likely to be targeted in future

It adds: “For this reason, it is important that you always have a recent offline backup of your most important files and data.” 

For more about the ‘epidemic’ of ransomware, Vice News’ CryptoLand show has an episode on the attacks. The 26-minute mini-documentary explores how attacks of this kind are getting ‘worse’ - it can be watched here on YouTube.

Related topics: