{
	"id": "32312830-5e3e-449f-9c95-640beaf152fd",
	"created_at": "2026-04-06T00:15:26.3219Z",
	"updated_at": "2026-04-10T03:24:29.071908Z",
	"deleted_at": null,
	"sha1_hash": "f3c72d8cd1f573843c5e37be3750bb0e594e6072",
	"title": "Halcyon Identifies New Ransomware Operator Volcano Demon Serving Up LukaLocker",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 188396,
	"plain_text": "Halcyon Identifies New Ransomware Operator Volcano Demon Serving\r\nUp LukaLocker\r\nBy Halcyon RISE Team\r\nPublished: 2024-07-01 · Archived: 2026-04-05 22:20:30 UTC\r\nHalcyon has encountered a new ransomware organization our researchers are tracking as Volcano Demon following several\r\nattacks in the past two weeks.  \r\nThe following encryptor sample dubbed LukaLocker was identified encrypting victim files with the .nba file extension. In\r\naddition, multiple attack tools were identified with IOCs noted in the table below. A linux version of LukaLocker was also\r\nidentified on the victim’s network.\r\nVolcano Demon was successful in locking both Windows workstations and servers after utilizing common administrative\r\ncredentials harvested from the network. Prior to the attack, data was exfiltrated to C2 services for double extortion\r\ntechniques.  \r\nLogs were cleared prior to exploitation and in both cases, a full forensic evaluation was not possible due to their success in\r\ncovering their tracks and limited victim logging and monitoring solutions installed prior to the event.\r\nDuring both cases, the threat actor features no leak site and uses phone calls to leadership and IT executives to extort and\r\nnegotiate payment. Calls are from unidentified caller-ID numbers and can be threatening in tone and expectations.  \r\nRansom Note\r\nVolcano Demon Ransomware Note\r\nIndicators of Compromise\r\nThe following artifacts were associated with Volcano Demon. At the time of publishing, all were uploaded to VT with\r\nmultiple being flagged:\r\nhttps://www.halcyon.ai/blog/halcyon-identifies-new-ransomware-operator-volcano-demon-serving-up-lukalocker\r\nPage 1 of 7\n\nName Description SHA256 Hash\r\nOn\r\nVirusTotal\r\nProtector.exe Trojan f83abe3d9717238755f1276c87b3b320d8c30421984a897099ce3741d9143906 Yes; 38/73\r\nLocker.exe Encryptor 4e58629158a6c46ad420f729330030f5e0b0ef374e9bb24cd203c89ec3262669 Yes; 7/68\r\nLinux\r\nlocker.bin\r\nLinux\r\nEncryptor\r\nac08ab5bfc5f2cfa0703115a0e2b61decc5158ec0d8a99ebc0824da2b4c3d25 No; 0/64\r\nReboot.bat\r\nCommand\r\nline scripts\r\nas\r\nprecursors\r\nto\r\nencryption\r\nevent\r\ned32ebb15d4abe262a34e54408ebb0680b62dc975bf6c02652d28006f45fca14 No; 0/64\r\nEncryptor Overview\r\nThe LukaLocker sample analyzed in this report was discovered on 15 June 2024. The ransomware is an x64 PE binary\r\nwritten and compiled using C++. LukaLocker ransomware employs API obfuscation and dynamic API resolution to conceal\r\nits malicious functionalities -- evading detection, analysis and reverse engineering:\r\nCommand Line Options\r\nCommand-Line Arguments Description\r\n-p \u003cpath\u003e Encrypt target path then exit\r\n-m \u003cmode\u003e\r\nEncrypt modes can be any of the following: default is set to 'all'\r\nall\r\nlocal\r\nnet\r\nbackups\r\n-l \u003clog_file\u003e Output to logfile\r\n-s \u003cint\u003e Unknown, possibly a debugging flag\r\n-no-mutex Skip creating process mutex\r\n--sd-killer-off Skip terminating processes and services\r\n--exit-safe-boot Remove safe-mode option then restart computer\r\n-v / --verbose Detailed verbose logging.\r\nhttps://www.halcyon.ai/blog/halcyon-identifies-new-ransomware-operator-volcano-demon-serving-up-lukalocker\r\nPage 2 of 7\n\nNote that some of these command-line options are not functional since there is no code implemented by the ransomware\r\nauthor to support these. These are:\r\n-l \u003clog_file\u003e: although it creates a specified log file, nothing is written to it and remains at 0 bytes.  \r\nModes “net” and “backups”: unsupported modes and does nothing.  Inferring from the names, these options are used\r\nto target network shares and backup files for encryption.  \r\n-s \u003cint\u003e: unknown command-line option, no code implemented.  Possibly a debugging switch.\r\nEvasion Tactics\r\nService Stop\r\nUpon execution, unless “--sd-killer-off” is specified, LukaLocker immediately terminates some services similar to and\r\npossibly copied from Conti ransomware. The services include the following:\r\nAntivirus and Endpoint Protection\r\nSophos\r\nSymantec\r\nMcAfee\r\nAvast\r\nDefender\r\nMalwarebytes\r\nWindows Defender\r\nBitDefender\r\nSpyhunter\r\nKaspersky\r\nSentinelOne\r\nBackup and Recovery\r\nAcronis\r\nSymantec\r\nVeeam\r\nSQL Safe\r\nDatabases\r\nMicrosoft SQL Server\r\nMySQL\r\nhttps://www.halcyon.ai/blog/halcyon-identifies-new-ransomware-operator-volcano-demon-serving-up-lukalocker\r\nPage 3 of 7\n\nIBM DB2\r\nOracle\r\nE-Mail Servers\r\nMicrosoft Exchange\r\nVirtualization and Cloud\r\nVMWare\r\nBlueStripe\r\nProLiant\r\nRemote Access and Monitoring\r\nAlerter\r\nEventlog\r\nUI0Detect\r\nWinVNC4\r\nProcess Stop\r\nUpon execution, unless “--sd-killer-off” is specified, LukaLocker immediately terminates some processes.  The processes\r\ninclude the following:\r\nAntivirus and Security Software\r\nSymantec/Norton\r\nMcAfee\r\nAVG\r\nKaspersky\r\nBitdefender\r\nTrend Micro\r\nMalware Bytes\r\nSystem Monitoring and Management\r\nVMware\r\nProficy\r\nMicrosoft\r\nIBM\r\nhttps://www.halcyon.ai/blog/halcyon-identifies-new-ransomware-operator-volcano-demon-serving-up-lukalocker\r\nPage 4 of 7\n\nBMC\r\nDatabase and Storage Services\r\nMicrosoft SQL Server\r\nOracle\r\nMySQL\r\nCloud and Remote Access Tools\r\nTeamViewer\r\nVNC\r\nGoogle\r\nWeb Browsers\r\nFirefox\r\nChrome\r\nOffice and Productivity Software\r\nMicrosoft Office\r\nFile Selection\r\nThe following directories are avoided during encryption:\r\nDirectories\r\ntmp\r\ntemp\r\nwinnt\r\nthumb\r\n$Recycle.Bin\r\n$RECYCLE.BIN\r\nSystem Volume Information\r\nBoot\r\nWindows\r\nTrend Micro\r\nperflogs\r\nhttps://www.halcyon.ai/blog/halcyon-identifies-new-ransomware-operator-volcano-demon-serving-up-lukalocker\r\nPage 5 of 7\n\nThe following extensions are avoided, all others are included:\r\nreadme.txt\r\nNBA_LOG.txt\r\n.NBA\r\n.exe\r\n.dll\r\n.lnk\r\n.sys\r\n.msi\r\n.bat\r\nFile Encryption\r\nThe Chacha8 cipher is used for bulk data encryption. The Chacha8 key and nonce are randomly-generated, with the key\r\ngenerated through the Elliptic-curve Diffie–Hellman (ECDH) key agreement algorithm over Curve25519. The ECDH file\r\npublic key and the nonce are stored in the footer.\r\nThe file itself allows for full encryption or partial supporting 100%, 50%, 20%, or 10% of the file data being encrypted. The\r\nfollowing is the footer that is used by the ransomware:\r\nOffset Length (bytes) Description\r\n0x00 32 File public key\r\n0x20 8 Chacha Nonce\r\n0x28 1\r\nEncryption Mode byte code\r\n0x24 – Whole file\r\n0x25 – Intermittent\r\n0x29 1\r\nEncrypt Percentage\r\n0x64 – 100%\r\n0x32 – 50%\r\n0x14 – 20%\r\n0xA – 10%\r\n0x2A 14 Padding\r\n0x38 8 Last encrypted byte in file offset\r\n0x40 8 Original File Size\r\nhttps://www.halcyon.ai/blog/halcyon-identifies-new-ransomware-operator-volcano-demon-serving-up-lukalocker\r\nPage 6 of 7\n\nOffset Length (bytes) Description\r\n0x48 16 Magic bytes\r\nHalcyon.ai is the leading anti-ransomware company. Global 2000 companies rely on the Halcyon platform to defeat\r\nransomware with minimal business disruption through built-in bypass and evasion protection, key material capture,\r\nautomated decryption, and data exfiltration and extortion prevention – talk to a Halcyon expert today to find out more.\r\nHalcyon also publishes a quarterly RaaS (Ransomware as a Service) and extortion group reference guide, Power Rankings:\r\nRansomware Malicious Quartile, and check out the Recent Ransomware Attacks resource site.\r\nSource: https://www.halcyon.ai/blog/halcyon-identifies-new-ransomware-operator-volcano-demon-serving-up-lukalocker\r\nhttps://www.halcyon.ai/blog/halcyon-identifies-new-ransomware-operator-volcano-demon-serving-up-lukalocker\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.halcyon.ai/blog/halcyon-identifies-new-ransomware-operator-volcano-demon-serving-up-lukalocker"
	],
	"report_names": [
		"halcyon-identifies-new-ransomware-operator-volcano-demon-serving-up-lukalocker"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434526,
	"ts_updated_at": 1775791469,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f3c72d8cd1f573843c5e37be3750bb0e594e6072.pdf",
		"text": "https://archive.orkl.eu/f3c72d8cd1f573843c5e37be3750bb0e594e6072.txt",
		"img": "https://archive.orkl.eu/f3c72d8cd1f573843c5e37be3750bb0e594e6072.jpg"
	}
}