CloudSEK's Threat Research team investigated Knight Ransomware and quick highlights are as follows:
- Cyclops, now renamed as Knight also known as Cyclops 2.0, debuted in May 2023.
- The Cyclops group has successfully developed ransomware that can infect all three major platforms: Windows, Linux, macOS, ESXi and Android.
- The development process spanned three years prior to its emergence.
- The threat actor identified as easy22go, responsible for this RaaS (Ransomware-as-a-Service), markets its services on online forums.
- The ransomware is coded in Golang.
The acquired panel from the threat actor is hosted on an onion domain.
Analysis and Attribution
Cyclops ransomware is renamed as Knight now. The Knight ransomware group has introduced a novel form of malicious software that not only encrypts a network's data but also exfiltrates it, essentially merging the functions of data theft and ransomware. This innovative malware is operational across multiple platforms including Windows, Mac OS, Linux, ESXi and Android. It is notably accompanied by a user-friendly interface. Cyclops was started in May 2023 and has been under development for 3 years. (source: HUMINT)
Knight group claims to be a team of 4 people originating from Russia and Europe. The Knight ransomware group has not yet deployed its ransomware to individuals. Currently, they are focused on the development stage for potential affiliates, while also actively recruiting individuals to facilitate the distribution of the ransomware through methods such as phishing or social engineering. The Knight Gang possesses two versions currently - The light version for small targets and phishing and a full version for builders and stealers. Further, the Knight gang claimed that they have links with ransomware groups like Lockbit and Babuk.
Features of the Malware
The essential attributes of the Knight ransomware, obtained through human intelligence (HUMINT), include:
- Individual Domain Names: A unique domain name is assigned to each target, ensuring heightened camouflage and evading detection.
- Comprehensive Payment Model: The ransomware incorporates a thorough payment system, streamlining the transaction process.
- Program Restructuring: The main program has undergone a complete overhaul, featuring online generation and tailored configuration for individual IDs. Each ID utilizes diverse obfuscation techniques, thwarting antivirus software.
- Segregated TOR Domains: The new chat room and affiliate users each possess dedicated TOR domains, facilitating more convenient and secure communication.
- Automated Transactions: Transactions are now executed with increased automation, with each victim assigned a distinct wallet address.
- Online Trial Decryption: A novel online trial decryption option has been introduced, enabling Affiliate users to independently set the number of trial attempts. Following payment, decryption shifts from manual to automatic.
- Automated Wallet Updates: Payment receipts trigger automatic updates to the wallet, simplifying the process.
- Personalized Support: A constant presence is available to address any inquiries, aid in refining requirements, and offer customization as needed.
Knight Panel Analysis
The builder panel gives you customization options such as adding and deleting paths, including and excluding file names, etc.
The knight offers information stealer along with ransomware.
The Knight Ransomware comes with a separate stealer malware which can be downloaded from the ransomware web builder panel. The stealer malware comes with a range of options such as:
- Path List: This option lets you add multiple directory paths (splitting with a semicolon) for stealing files.
- File Max Size: This option lets you decide the max file size
- File Split Size: This is the file split size which will get splitted once it reaches the max file size threshold. The pack prefix name is Knight, max file size of encryption is 500 MB and split size is 20 MB.
- The supported file extensions are txt, jpg, sql and the result file is saved as knight_result.txt.
The ransomware binary is executed with an access key which is a unique key associated with specific ransomware associates.
Once files are encrypted by the ransomware, it drops a ransom note as portrayed in the screenshot. The builder is created using the onion site panel furnished by the actor. Once the ransomware builder is executed, it proceeds to encrypt all files within the victim's system, consistently utilizing random extensions. The encryption algorithm used is ChaCha20+AES256, which is observed similar to the Lockbit and Babuk encryption logic. When dealing with large files, the attributes of the file are recognized, leading to the utilization of segmented encryption. This methodology guarantees encryption speed while upholding irreversible encryption standards. Uniquely assigned keys are implemented for individual file sections, setting their approach apart from conventional practices used by other entities and effectively preventing memory interception. For every target, the extension of encryption keeps on changing. The decryption process followed by the Knight gang is: random extension+ID+main key + random key = decrypter
As observed in the ransom note screenshot above, the threat actor left an onion link for the victim to pay the ransom which includes price, expiration price, bitcoin wallet address, payment status, instructions, chat panel and trial decrypt.
Ransomware builder execution command: windows_ransomware.exe -key ACCESS_KEY
Victim will be provided with 5 trial decryptions (number of trials will be set by the attacker) of 1 MB each, after which they have to buy the decryptor application with the price set by the attacker as shown below
After the ransomware execution, it encrypted all available files and directories present in the full system with random extensions along with dropping a ransom note. Some of them are shown below:
The Knight ransomware operation has introduced a user-friendly interface tailored for their ransomware affiliates. They've incorporated cutting-edge encryption algorithms like ChaCha20+AES256 for the encryption and decryption of files. What sets them apart is their capability to produce customized versions of the ransomware if requested by their affiliates.
The group is actively seeking partnerships with potential affiliates and is in the process of assembling a skilled team of advanced hackers to facilitate the widespread distribution of the ransomware to targeted users. Our analysts have noted that the group is committed to providing continuous 24/7 support to their affiliates, readily assisting with any queries or issues that may arise.
One of the distinguishing aspects of the Knight ransomware operation is the incorporation of unique features within their builder, setting them apart from other similar platforms. These distinctive features encompass personalized support, which extends beyond the norm, as well as several other notable attributes. These attributes include the utilization of distinct TOR domains for each specific target, an automated system for updating wallet payments, and an array of other prominent functionalities.