7
mins read

Understanding Knight Ransomware: Advisory, Analysis

Cyclops, now renamed as Knight also known as Cyclops 2.0, debuted in May 2023. The Cyclops group has successfully developed ransomware that can infect all three major platforms: Windows, Linux, macOS, ESXi and Android.

Author image
Shreya Talukdar
September 8, 2023
Last Update posted on
February 3, 2024
Proactive Monitoring of the Dark Web for your organization.

Proactively monitor and defend your organization against threats from the dark web with CloudSEK XVigil.

Schedule a Demo
Table of Contents
Author(s)
No items found.

Category: 

Malware Intelligence

Type/Family: 

Ransomware

Industry: 

Region: 

World Wide

Executive Summary

CloudSEK's Threat Research team investigated Knight Ransomware and quick highlights are as follows:

  • Cyclops, now renamed as Knight also known as Cyclops 2.0, debuted in May 2023.
  • The Cyclops group has successfully developed ransomware that can infect all three major platforms: Windows, Linux, macOS, ESXi and Android.
  • The development process spanned three years prior to its emergence.
  • The threat actor identified as easy22go, responsible for this RaaS (Ransomware-as-a-Service), markets its services on online forums.
  • The ransomware is coded in Golang. 

The acquired panel from the threat actor is hosted on an onion domain.

Screenshot of Knight builder panel on Tor

Analysis and Attribution

Introduction:

Cyclops ransomware is renamed as Knight now. The Knight ransomware group has introduced a novel form of malicious software that not only encrypts a network's data but also exfiltrates it, essentially merging the functions of data theft and ransomware. This innovative malware is operational across multiple platforms including Windows, Mac OS, Linux, ESXi and Android. It  is notably accompanied by a user-friendly interface. Cyclops was started in May 2023 and has been under development for 3 years.  (source: HUMINT)

Knight group claims to be  a team of 4 people originating from Russia and Europe. The Knight ransomware group has not yet deployed its ransomware to individuals. Currently, they are focused on the development stage for potential affiliates, while also actively recruiting individuals to facilitate the distribution of the ransomware through methods such as phishing or social engineering. The Knight Gang possesses two versions currently - The light version for small targets and phishing and a full version for builders and stealers. Further, the Knight gang claimed that they have links with  ransomware groups like Lockbit and Babuk.

Screenshot of sample target

Features of the Malware

The essential attributes of the Knight ransomware, obtained through human intelligence (HUMINT), include:

  • Individual Domain Names: A unique domain name is assigned to each target, ensuring heightened camouflage and evading detection.

  • Comprehensive Payment Model: The ransomware incorporates a thorough payment system, streamlining the transaction process.

  • Program Restructuring: The main program has undergone a complete overhaul, featuring online generation and tailored configuration for individual IDs. Each ID utilizes diverse obfuscation techniques, thwarting antivirus software.

  • Segregated TOR Domains: The new chat room and affiliate users each possess dedicated TOR domains, facilitating more convenient and secure communication.

  • Automated Transactions: Transactions are now executed with increased automation, with each victim assigned a distinct wallet address.

  • Online Trial Decryption: A novel online trial decryption option has been introduced, enabling Affiliate users to independently set the number of trial attempts. Following payment, decryption shifts from manual to automatic.

  • Automated Wallet Updates: Payment receipts trigger automatic updates to the wallet, simplifying the process.

  • Personalized Support: A constant presence is available to address any inquiries, aid in refining requirements, and offer customization as needed.

Knight Panel Analysis

The Home page

Target list on panel

Screenshot of chat room for communication

Wallet address

The builder panel gives you customization options such as adding and deleting paths, including and excluding file names, etc.

Builder panel inclusions and exclusions of file path

The knight offers information stealer along with ransomware. 

Stealer Analysis

The Knight Ransomware comes with a separate stealer malware which can be downloaded from the ransomware web builder panel. The stealer malware comes with a range of options such as:

  • Path List: This option lets you add multiple directory paths (splitting with a semicolon) for stealing files.
  • File Max Size: This option lets you decide the max file size
  • File Split Size: This is the file split size which will get splitted once it reaches the max file size threshold. The pack prefix name is Knight, max file size of encryption is 500 MB and split size is 20 MB.
  • The supported file extensions are txt, jpg, sql and the result file is saved as knight_result.txt.

Stealer panel 

Stealer configuration

Ransomware Analysis

The ransomware binary is executed with an access key which is a unique key associated with specific ransomware associates. 

Once files are encrypted by the ransomware, it drops a ransom note as portrayed in the screenshot. The builder is created using the onion site panel furnished by the actor. Once the ransomware builder is executed, it proceeds to encrypt all files within the victim's system, consistently utilizing random extensions. The encryption algorithm used is ChaCha20+AES256, which is observed similar to the Lockbit and Babuk encryption logic. When dealing with large files, the attributes of the file are recognized, leading to the utilization of segmented encryption. This methodology guarantees encryption speed while upholding irreversible encryption standards. Uniquely assigned keys are implemented for individual file sections, setting their approach apart from conventional practices used by other entities and effectively preventing memory interception.  For every target, the extension of encryption keeps on changing. The decryption process followed by the Knight gang is: random extension+ID+main key + random key = decrypter

Screenshot of image dropped after encryption

Screenshot of Ransom note after data encryption in victim system 

As observed in the ransom note screenshot above, the threat actor left an onion link for the victim to pay the ransom which includes price, expiration price, bitcoin wallet address, payment status, instructions, chat panel and trial decrypt.

Ransomware builder execution command: windows_ransomware.exe  -key ACCESS_KEY

Screenshot of onion link site provided by the Threat actor

Instructions for payment and decryption

Screenshot of Trial Decryption for decrypting the encrypted files 

Victim will be provided with 5 trial decryptions (number of trials will be set by the attacker) of 1 MB each, after which they have to buy the decryptor application with the price set by the attacker as shown below

Chat window from the victim side connected with the Threat actor

Chat window from the threat actor side connected with the victim

After the ransomware execution, it encrypted all available files and directories present in the full system with random extensions along with dropping a ransom note. Some of them are shown below:

Screenshot of encrusted files in random directories throughout the system










Conclusion:

The Knight ransomware operation has introduced a user-friendly interface tailored for their ransomware affiliates. They've incorporated cutting-edge encryption algorithms like ChaCha20+AES256 for the encryption and decryption of files. What sets them apart is their capability to produce customized versions of the ransomware if requested by their affiliates.

The group is actively seeking partnerships with potential affiliates and is in the process of assembling a skilled team of advanced hackers to facilitate the widespread distribution of the ransomware to targeted users. Our analysts have noted that the group is committed to providing continuous 24/7 support to their affiliates, readily assisting with any queries or issues that may arise.

One of the distinguishing aspects of the Knight ransomware operation is the incorporation of unique features within their builder, setting them apart from other similar platforms. These distinctive features encompass personalized support, which extends beyond the norm, as well as several other notable attributes. These attributes include the utilization of distinct TOR domains for each specific target, an automated system for updating wallet payments, and an array of other prominent functionalities.

Author

Shreya Talukdar

Cyber Threat Intelligence Researcher

Predict Cyber threats against your organization

Related Posts
Blog Image
February 3, 2024

From Discussion Forums to Malware Mayhem: The Alarming Rise of Abuse on Google Groups and Usenet

Explore the escalating wave of cyber threats on platforms like Google Groups and Usenet, uncovering the pivotal role of cybersecurity in safeguarding online discussion forums.

Redirect Chain: Advertisement Services being Abused by Threat Actors to Redirect Users to Malware, Betting, Adult Websites

Threat actors have been abusing advertisement services to serve malware to users and redirect traffic to websites purchasing services from them.

Blog Image
December 29, 2023

Compromising Google Accounts: Malwares Exploiting Undocumented OAuth2 Functionality for session hijacking

A detailed blog on Analysis of the Global Malware Trend: Exploiting Undocumented OAuth2 Functionality to Regenerate Google Service Cookies Regardless of IP or Password Reset.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

Ransomware

7

min read

Understanding Knight Ransomware: Advisory, Analysis

Cyclops, now renamed as Knight also known as Cyclops 2.0, debuted in May 2023. The Cyclops group has successfully developed ransomware that can infect all three major platforms: Windows, Linux, macOS, ESXi and Android.

Authors
Shreya Talukdar
Cyber Threat Intelligence Researcher
Co-Authors
No items found.

Category: 

Malware Intelligence

Type/Family: 

Ransomware

Industry: 

Region: 

World Wide

Executive Summary

CloudSEK's Threat Research team investigated Knight Ransomware and quick highlights are as follows:

  • Cyclops, now renamed as Knight also known as Cyclops 2.0, debuted in May 2023.
  • The Cyclops group has successfully developed ransomware that can infect all three major platforms: Windows, Linux, macOS, ESXi and Android.
  • The development process spanned three years prior to its emergence.
  • The threat actor identified as easy22go, responsible for this RaaS (Ransomware-as-a-Service), markets its services on online forums.
  • The ransomware is coded in Golang. 

The acquired panel from the threat actor is hosted on an onion domain.

Screenshot of Knight builder panel on Tor

Analysis and Attribution

Introduction:

Cyclops ransomware is renamed as Knight now. The Knight ransomware group has introduced a novel form of malicious software that not only encrypts a network's data but also exfiltrates it, essentially merging the functions of data theft and ransomware. This innovative malware is operational across multiple platforms including Windows, Mac OS, Linux, ESXi and Android. It  is notably accompanied by a user-friendly interface. Cyclops was started in May 2023 and has been under development for 3 years.  (source: HUMINT)

Knight group claims to be  a team of 4 people originating from Russia and Europe. The Knight ransomware group has not yet deployed its ransomware to individuals. Currently, they are focused on the development stage for potential affiliates, while also actively recruiting individuals to facilitate the distribution of the ransomware through methods such as phishing or social engineering. The Knight Gang possesses two versions currently - The light version for small targets and phishing and a full version for builders and stealers. Further, the Knight gang claimed that they have links with  ransomware groups like Lockbit and Babuk.

Screenshot of sample target

Features of the Malware

The essential attributes of the Knight ransomware, obtained through human intelligence (HUMINT), include:

  • Individual Domain Names: A unique domain name is assigned to each target, ensuring heightened camouflage and evading detection.

  • Comprehensive Payment Model: The ransomware incorporates a thorough payment system, streamlining the transaction process.

  • Program Restructuring: The main program has undergone a complete overhaul, featuring online generation and tailored configuration for individual IDs. Each ID utilizes diverse obfuscation techniques, thwarting antivirus software.

  • Segregated TOR Domains: The new chat room and affiliate users each possess dedicated TOR domains, facilitating more convenient and secure communication.

  • Automated Transactions: Transactions are now executed with increased automation, with each victim assigned a distinct wallet address.

  • Online Trial Decryption: A novel online trial decryption option has been introduced, enabling Affiliate users to independently set the number of trial attempts. Following payment, decryption shifts from manual to automatic.

  • Automated Wallet Updates: Payment receipts trigger automatic updates to the wallet, simplifying the process.

  • Personalized Support: A constant presence is available to address any inquiries, aid in refining requirements, and offer customization as needed.

Knight Panel Analysis

The Home page

Target list on panel

Screenshot of chat room for communication

Wallet address

The builder panel gives you customization options such as adding and deleting paths, including and excluding file names, etc.

Builder panel inclusions and exclusions of file path

The knight offers information stealer along with ransomware. 

Stealer Analysis

The Knight Ransomware comes with a separate stealer malware which can be downloaded from the ransomware web builder panel. The stealer malware comes with a range of options such as:

  • Path List: This option lets you add multiple directory paths (splitting with a semicolon) for stealing files.
  • File Max Size: This option lets you decide the max file size
  • File Split Size: This is the file split size which will get splitted once it reaches the max file size threshold. The pack prefix name is Knight, max file size of encryption is 500 MB and split size is 20 MB.
  • The supported file extensions are txt, jpg, sql and the result file is saved as knight_result.txt.

Stealer panel 

Stealer configuration

Ransomware Analysis

The ransomware binary is executed with an access key which is a unique key associated with specific ransomware associates. 

Once files are encrypted by the ransomware, it drops a ransom note as portrayed in the screenshot. The builder is created using the onion site panel furnished by the actor. Once the ransomware builder is executed, it proceeds to encrypt all files within the victim's system, consistently utilizing random extensions. The encryption algorithm used is ChaCha20+AES256, which is observed similar to the Lockbit and Babuk encryption logic. When dealing with large files, the attributes of the file are recognized, leading to the utilization of segmented encryption. This methodology guarantees encryption speed while upholding irreversible encryption standards. Uniquely assigned keys are implemented for individual file sections, setting their approach apart from conventional practices used by other entities and effectively preventing memory interception.  For every target, the extension of encryption keeps on changing. The decryption process followed by the Knight gang is: random extension+ID+main key + random key = decrypter

Screenshot of image dropped after encryption

Screenshot of Ransom note after data encryption in victim system 

As observed in the ransom note screenshot above, the threat actor left an onion link for the victim to pay the ransom which includes price, expiration price, bitcoin wallet address, payment status, instructions, chat panel and trial decrypt.

Ransomware builder execution command: windows_ransomware.exe  -key ACCESS_KEY

Screenshot of onion link site provided by the Threat actor

Instructions for payment and decryption

Screenshot of Trial Decryption for decrypting the encrypted files 

Victim will be provided with 5 trial decryptions (number of trials will be set by the attacker) of 1 MB each, after which they have to buy the decryptor application with the price set by the attacker as shown below

Chat window from the victim side connected with the Threat actor

Chat window from the threat actor side connected with the victim

After the ransomware execution, it encrypted all available files and directories present in the full system with random extensions along with dropping a ransom note. Some of them are shown below:

Screenshot of encrusted files in random directories throughout the system










Conclusion:

The Knight ransomware operation has introduced a user-friendly interface tailored for their ransomware affiliates. They've incorporated cutting-edge encryption algorithms like ChaCha20+AES256 for the encryption and decryption of files. What sets them apart is their capability to produce customized versions of the ransomware if requested by their affiliates.

The group is actively seeking partnerships with potential affiliates and is in the process of assembling a skilled team of advanced hackers to facilitate the widespread distribution of the ransomware to targeted users. Our analysts have noted that the group is committed to providing continuous 24/7 support to their affiliates, readily assisting with any queries or issues that may arise.

One of the distinguishing aspects of the Knight ransomware operation is the incorporation of unique features within their builder, setting them apart from other similar platforms. These distinctive features encompass personalized support, which extends beyond the norm, as well as several other notable attributes. These attributes include the utilization of distinct TOR domains for each specific target, an automated system for updating wallet payments, and an array of other prominent functionalities.