🚀 CloudSEK has raised $19M Series B1 Round – Powering the Future of Predictive Cybersecurity
Read More
Proactively monitor and defend your organization against threats from the dark web with CloudSEK XVigil.
Schedule a DemoCategory:
Malware Intelligence
Type/Family:
Ransomware
Industry:
Region:
World Wide
CloudSEK's Threat Research team investigated Knight Ransomware and quick highlights are as follows:
The acquired panel from the threat actor is hosted on an onion domain.
Cyclops ransomware is renamed as Knight now. The Knight ransomware group has introduced a novel form of malicious software that not only encrypts a network's data but also exfiltrates it, essentially merging the functions of data theft and ransomware. This innovative malware is operational across multiple platforms including Windows, Mac OS, Linux, ESXi and Android. It is notably accompanied by a user-friendly interface. Cyclops was started in May 2023 and has been under development for 3 years. (source: HUMINT)
Knight group claims to be a team of 4 people originating from Russia and Europe. The Knight ransomware group has not yet deployed its ransomware to individuals. Currently, they are focused on the development stage for potential affiliates, while also actively recruiting individuals to facilitate the distribution of the ransomware through methods such as phishing or social engineering. The Knight Gang possesses two versions currently - The light version for small targets and phishing and a full version for builders and stealers. Further, the Knight gang claimed that they have links with ransomware groups like Lockbit and Babuk.
The essential attributes of the Knight ransomware, obtained through human intelligence (HUMINT), include:
The builder panel gives you customization options such as adding and deleting paths, including and excluding file names, etc.
The knight offers information stealer along with ransomware.
The Knight Ransomware comes with a separate stealer malware which can be downloaded from the ransomware web builder panel. The stealer malware comes with a range of options such as:
The ransomware binary is executed with an access key which is a unique key associated with specific ransomware associates.
Once files are encrypted by the ransomware, it drops a ransom note as portrayed in the screenshot. The builder is created using the onion site panel furnished by the actor. Once the ransomware builder is executed, it proceeds to encrypt all files within the victim's system, consistently utilizing random extensions. The encryption algorithm used is ChaCha20+AES256, which is observed similar to the Lockbit and Babuk encryption logic. When dealing with large files, the attributes of the file are recognized, leading to the utilization of segmented encryption. This methodology guarantees encryption speed while upholding irreversible encryption standards. Uniquely assigned keys are implemented for individual file sections, setting their approach apart from conventional practices used by other entities and effectively preventing memory interception. For every target, the extension of encryption keeps on changing. The decryption process followed by the Knight gang is: random extension+ID+main key + random key = decrypter
As observed in the ransom note screenshot above, the threat actor left an onion link for the victim to pay the ransom which includes price, expiration price, bitcoin wallet address, payment status, instructions, chat panel and trial decrypt.
Ransomware builder execution command: windows_ransomware.exe -key ACCESS_KEY
Victim will be provided with 5 trial decryptions (number of trials will be set by the attacker) of 1 MB each, after which they have to buy the decryptor application with the price set by the attacker as shown below
After the ransomware execution, it encrypted all available files and directories present in the full system with random extensions along with dropping a ransom note. Some of them are shown below:
The Knight ransomware operation has introduced a user-friendly interface tailored for their ransomware affiliates. They've incorporated cutting-edge encryption algorithms like ChaCha20+AES256 for the encryption and decryption of files. What sets them apart is their capability to produce customized versions of the ransomware if requested by their affiliates.
The group is actively seeking partnerships with potential affiliates and is in the process of assembling a skilled team of advanced hackers to facilitate the widespread distribution of the ransomware to targeted users. Our analysts have noted that the group is committed to providing continuous 24/7 support to their affiliates, readily assisting with any queries or issues that may arise.
One of the distinguishing aspects of the Knight ransomware operation is the incorporation of unique features within their builder, setting them apart from other similar platforms. These distinctive features encompass personalized support, which extends beyond the norm, as well as several other notable attributes. These attributes include the utilization of distinct TOR domains for each specific target, an automated system for updating wallet payments, and an array of other prominent functionalities.
Discover how CloudSEK's comprehensive takedown services protect your brand from online threats.
Explore the escalating wave of cyber threats on platforms like Google Groups and Usenet, uncovering the pivotal role of cybersecurity in safeguarding online discussion forums.
Threat actors have been abusing advertisement services to serve malware to users and redirect traffic to websites purchasing services from them.
Take action now
CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.
Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.
Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.
Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.
Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.
7
min read
Cyclops, now renamed as Knight also known as Cyclops 2.0, debuted in May 2023. The Cyclops group has successfully developed ransomware that can infect all three major platforms: Windows, Linux, macOS, ESXi and Android.
Category:
Malware Intelligence
Type/Family:
Ransomware
Industry:
Region:
World Wide
CloudSEK's Threat Research team investigated Knight Ransomware and quick highlights are as follows:
The acquired panel from the threat actor is hosted on an onion domain.
Cyclops ransomware is renamed as Knight now. The Knight ransomware group has introduced a novel form of malicious software that not only encrypts a network's data but also exfiltrates it, essentially merging the functions of data theft and ransomware. This innovative malware is operational across multiple platforms including Windows, Mac OS, Linux, ESXi and Android. It is notably accompanied by a user-friendly interface. Cyclops was started in May 2023 and has been under development for 3 years. (source: HUMINT)
Knight group claims to be a team of 4 people originating from Russia and Europe. The Knight ransomware group has not yet deployed its ransomware to individuals. Currently, they are focused on the development stage for potential affiliates, while also actively recruiting individuals to facilitate the distribution of the ransomware through methods such as phishing or social engineering. The Knight Gang possesses two versions currently - The light version for small targets and phishing and a full version for builders and stealers. Further, the Knight gang claimed that they have links with ransomware groups like Lockbit and Babuk.
The essential attributes of the Knight ransomware, obtained through human intelligence (HUMINT), include:
The builder panel gives you customization options such as adding and deleting paths, including and excluding file names, etc.
The knight offers information stealer along with ransomware.
The Knight Ransomware comes with a separate stealer malware which can be downloaded from the ransomware web builder panel. The stealer malware comes with a range of options such as:
The ransomware binary is executed with an access key which is a unique key associated with specific ransomware associates.
Once files are encrypted by the ransomware, it drops a ransom note as portrayed in the screenshot. The builder is created using the onion site panel furnished by the actor. Once the ransomware builder is executed, it proceeds to encrypt all files within the victim's system, consistently utilizing random extensions. The encryption algorithm used is ChaCha20+AES256, which is observed similar to the Lockbit and Babuk encryption logic. When dealing with large files, the attributes of the file are recognized, leading to the utilization of segmented encryption. This methodology guarantees encryption speed while upholding irreversible encryption standards. Uniquely assigned keys are implemented for individual file sections, setting their approach apart from conventional practices used by other entities and effectively preventing memory interception. For every target, the extension of encryption keeps on changing. The decryption process followed by the Knight gang is: random extension+ID+main key + random key = decrypter
As observed in the ransom note screenshot above, the threat actor left an onion link for the victim to pay the ransom which includes price, expiration price, bitcoin wallet address, payment status, instructions, chat panel and trial decrypt.
Ransomware builder execution command: windows_ransomware.exe -key ACCESS_KEY
Victim will be provided with 5 trial decryptions (number of trials will be set by the attacker) of 1 MB each, after which they have to buy the decryptor application with the price set by the attacker as shown below
After the ransomware execution, it encrypted all available files and directories present in the full system with random extensions along with dropping a ransom note. Some of them are shown below:
The Knight ransomware operation has introduced a user-friendly interface tailored for their ransomware affiliates. They've incorporated cutting-edge encryption algorithms like ChaCha20+AES256 for the encryption and decryption of files. What sets them apart is their capability to produce customized versions of the ransomware if requested by their affiliates.
The group is actively seeking partnerships with potential affiliates and is in the process of assembling a skilled team of advanced hackers to facilitate the widespread distribution of the ransomware to targeted users. Our analysts have noted that the group is committed to providing continuous 24/7 support to their affiliates, readily assisting with any queries or issues that may arise.
One of the distinguishing aspects of the Knight ransomware operation is the incorporation of unique features within their builder, setting them apart from other similar platforms. These distinctive features encompass personalized support, which extends beyond the norm, as well as several other notable attributes. These attributes include the utilization of distinct TOR domains for each specific target, an automated system for updating wallet payments, and an array of other prominent functionalities.