Understanding Knight Ransomware: Advisory, Analysis

mins read time
Cyclops, now renamed as Knight also known as Cyclops 2.0, debuted in May 2023. The Cyclops group has successfully developed ransomware that can infect all three major platforms: Windows, Linux, macOS, ESXi and Android.
Shreya Talukdar
Published on
September 8, 2023
Blog Image


Malware Intelligence





World Wide

Executive Summary

CloudSEK's Threat Research team investigated Knight Ransomware and quick highlights are as follows:

  • Cyclops, now renamed as Knight also known as Cyclops 2.0, debuted in May 2023.
  • The Cyclops group has successfully developed ransomware that can infect all three major platforms: Windows, Linux, macOS, ESXi and Android.
  • The development process spanned three years prior to its emergence.
  • The threat actor identified as easy22go, responsible for this RaaS (Ransomware-as-a-Service), markets its services on online forums.
  • The ransomware is coded in Golang. 

The acquired panel from the threat actor is hosted on an onion domain.

Screenshot of Knight builder panel on Tor

Analysis and Attribution


Cyclops ransomware is renamed as Knight now. The Knight ransomware group has introduced a novel form of malicious software that not only encrypts a network's data but also exfiltrates it, essentially merging the functions of data theft and ransomware. This innovative malware is operational across multiple platforms including Windows, Mac OS, Linux, ESXi and Android. It  is notably accompanied by a user-friendly interface. Cyclops was started in May 2023 and has been under development for 3 years.  (source: HUMINT)

Knight group claims to be  a team of 4 people originating from Russia and Europe. The Knight ransomware group has not yet deployed its ransomware to individuals. Currently, they are focused on the development stage for potential affiliates, while also actively recruiting individuals to facilitate the distribution of the ransomware through methods such as phishing or social engineering. The Knight Gang possesses two versions currently - The light version for small targets and phishing and a full version for builders and stealers. Further, the Knight gang claimed that they have links with  ransomware groups like Lockbit and Babuk.

Screenshot of sample target

Features of the Malware

The essential attributes of the Knight ransomware, obtained through human intelligence (HUMINT), include:

  • Individual Domain Names: A unique domain name is assigned to each target, ensuring heightened camouflage and evading detection.

  • Comprehensive Payment Model: The ransomware incorporates a thorough payment system, streamlining the transaction process.

  • Program Restructuring: The main program has undergone a complete overhaul, featuring online generation and tailored configuration for individual IDs. Each ID utilizes diverse obfuscation techniques, thwarting antivirus software.

  • Segregated TOR Domains: The new chat room and affiliate users each possess dedicated TOR domains, facilitating more convenient and secure communication.

  • Automated Transactions: Transactions are now executed with increased automation, with each victim assigned a distinct wallet address.

  • Online Trial Decryption: A novel online trial decryption option has been introduced, enabling Affiliate users to independently set the number of trial attempts. Following payment, decryption shifts from manual to automatic.

  • Automated Wallet Updates: Payment receipts trigger automatic updates to the wallet, simplifying the process.

  • Personalized Support: A constant presence is available to address any inquiries, aid in refining requirements, and offer customization as needed.

Knight Panel Analysis

The Home page

Target list on panel

Screenshot of chat room for communication

Wallet address

The builder panel gives you customization options such as adding and deleting paths, including and excluding file names, etc.

Builder panel inclusions and exclusions of file path

The knight offers information stealer along with ransomware. 

Stealer Analysis

The Knight Ransomware comes with a separate stealer malware which can be downloaded from the ransomware web builder panel. The stealer malware comes with a range of options such as:

  • Path List: This option lets you add multiple directory paths (splitting with a semicolon) for stealing files.
  • File Max Size: This option lets you decide the max file size
  • File Split Size: This is the file split size which will get splitted once it reaches the max file size threshold. The pack prefix name is Knight, max file size of encryption is 500 MB and split size is 20 MB.
  • The supported file extensions are txt, jpg, sql and the result file is saved as knight_result.txt.

Stealer panel 

Stealer configuration

Ransomware Analysis

The ransomware binary is executed with an access key which is a unique key associated with specific ransomware associates. 

Once files are encrypted by the ransomware, it drops a ransom note as portrayed in the screenshot. The builder is created using the onion site panel furnished by the actor. Once the ransomware builder is executed, it proceeds to encrypt all files within the victim's system, consistently utilizing random extensions. The encryption algorithm used is ChaCha20+AES256, which is observed similar to the Lockbit and Babuk encryption logic. When dealing with large files, the attributes of the file are recognized, leading to the utilization of segmented encryption. This methodology guarantees encryption speed while upholding irreversible encryption standards. Uniquely assigned keys are implemented for individual file sections, setting their approach apart from conventional practices used by other entities and effectively preventing memory interception.  For every target, the extension of encryption keeps on changing. The decryption process followed by the Knight gang is: random extension+ID+main key + random key = decrypter

Screenshot of image dropped after encryption

Screenshot of Ransom note after data encryption in victim system 

As observed in the ransom note screenshot above, the threat actor left an onion link for the victim to pay the ransom which includes price, expiration price, bitcoin wallet address, payment status, instructions, chat panel and trial decrypt.

Ransomware builder execution command: windows_ransomware.exe  -key ACCESS_KEY

Screenshot of onion link site provided by the Threat actor

Instructions for payment and decryption

Screenshot of Trial Decryption for decrypting the encrypted files 

Victim will be provided with 5 trial decryptions (number of trials will be set by the attacker) of 1 MB each, after which they have to buy the decryptor application with the price set by the attacker as shown below

Chat window from the victim side connected with the Threat actor

Chat window from the threat actor side connected with the victim

After the ransomware execution, it encrypted all available files and directories present in the full system with random extensions along with dropping a ransom note. Some of them are shown below:

Screenshot of encrusted files in random directories throughout the system


The Knight ransomware operation has introduced a user-friendly interface tailored for their ransomware affiliates. They've incorporated cutting-edge encryption algorithms like ChaCha20+AES256 for the encryption and decryption of files. What sets them apart is their capability to produce customized versions of the ransomware if requested by their affiliates.

The group is actively seeking partnerships with potential affiliates and is in the process of assembling a skilled team of advanced hackers to facilitate the widespread distribution of the ransomware to targeted users. Our analysts have noted that the group is committed to providing continuous 24/7 support to their affiliates, readily assisting with any queries or issues that may arise.

One of the distinguishing aspects of the Knight ransomware operation is the incorporation of unique features within their builder, setting them apart from other similar platforms. These distinctive features encompass personalized support, which extends beyond the norm, as well as several other notable attributes. These attributes include the utilization of distinct TOR domains for each specific target, an automated system for updating wallet payments, and an array of other prominent functionalities.

Contributors to this Article
Author Image
Shreya Talukdar
Cyber Threat Intelligence Researcher
Related Posts
Blog Image
July 28, 2023

Amadey Equipped with AV Disabler drops Redline Stealer

Our researchers have found out The Amadey botnet is now using a new Healer AV disabler to disable Microsoft Defender and infect target systems with Redline stealer.

Blog Image
July 11, 2023

Breaking into the Bandit Stealer Malware Infrastructure

CloudSEK's threat researchers discovered a new Bandit Stealer malware web panel on 06 July 2023, with at least 14 active instances.

Blog Image
May 29, 2023

DogeRAT: The Android Malware Campaign Targeting Users Across Multiple Industries

CloudSEK’s TRIAD team discovered yet another open-source Android malware called DogeRAT (Remote Access Trojan), targeting a large customer base across multiple industries, especially Banking and Entertainment. Although the majority of this campaign targeted users in India, it is intended to have a global reach.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.