Halcyon Identifies New Ransomware Operator Volcano Demon Serving
Up LukaLocker
By Halcyon RISE Team
Published: 2024-07-01 · Archived: 2026-04-05 22:20:30 UTC
Halcyon has encountered a new ransomware organization our researchers are tracking as Volcano Demon following several
attacks in the past two weeks.  
The following encryptor sample dubbed LukaLocker was identified encrypting victim files with the .nba file extension. In
addition, multiple attack tools were identified with IOCs noted in the table below. A linux version of LukaLocker was also
identified on the victim’s network.
Volcano Demon was successful in locking both Windows workstations and servers after utilizing common administrative
credentials harvested from the network. Prior to the attack, data was exfiltrated to C2 services for double extortion
techniques.  
Logs were cleared prior to exploitation and in both cases, a full forensic evaluation was not possible due to their success in
covering their tracks and limited victim logging and monitoring solutions installed prior to the event.
During both cases, the threat actor features no leak site and uses phone calls to leadership and IT executives to extort and
negotiate payment. Calls are from unidentified caller-ID numbers and can be threatening in tone and expectations.  
Ransom Note
Volcano Demon Ransomware Note
Indicators of Compromise
The following artifacts were associated with Volcano Demon. At the time of publishing, all were uploaded to VT with
multiple being flagged:
https://www.halcyon.ai/blog/halcyon-identifies-new-ransomware-operator-volcano-demon-serving-up-lukalocker
Page 1 of 7

Name Description SHA256 Hash
On
VirusTotal
Protector.exe Trojan f83abe3d9717238755f1276c87b3b320d8c30421984a897099ce3741d9143906 Yes; 38/73
Locker.exe Encryptor 4e58629158a6c46ad420f729330030f5e0b0ef374e9bb24cd203c89ec3262669 Yes; 7/68
Linux
locker.bin
Linux
Encryptor
ac08ab5bfc5f2cfa0703115a0e2b61decc5158ec0d8a99ebc0824da2b4c3d25 No; 0/64
Reboot.bat
Command
line scripts
as
precursors
to
encryption
event
ed32ebb15d4abe262a34e54408ebb0680b62dc975bf6c02652d28006f45fca14 No; 0/64
Encryptor Overview
The LukaLocker sample analyzed in this report was discovered on 15 June 2024. The ransomware is an x64 PE binary
written and compiled using C++. LukaLocker ransomware employs API obfuscation and dynamic API resolution to conceal
its malicious functionalities -- evading detection, analysis and reverse engineering:
Command Line Options
Command-Line Arguments Description
-p <path> Encrypt target path then exit
-m <mode>
Encrypt modes can be any of the following: default is set to 'all'
all
local
net
backups
-l <log_file> Output to logfile
-s <int> Unknown, possibly a debugging flag
-no-mutex Skip creating process mutex
--sd-killer-off Skip terminating processes and services
--exit-safe-boot Remove safe-mode option then restart computer
-v / --verbose Detailed verbose logging.
https://www.halcyon.ai/blog/halcyon-identifies-new-ransomware-operator-volcano-demon-serving-up-lukalocker
Page 2 of 7

Note that some of these command-line options are not functional since there is no code implemented by the ransomware
author to support these. These are:
-l <log_file>: although it creates a specified log file, nothing is written to it and remains at 0 bytes.  
Modes “net” and “backups”: unsupported modes and does nothing.  Inferring from the names, these options are used
to target network shares and backup files for encryption.  
-s <int>: unknown command-line option, no code implemented.  Possibly a debugging switch.
Evasion Tactics
Service Stop
Upon execution, unless “--sd-killer-off” is specified, LukaLocker immediately terminates some services similar to and
possibly copied from Conti ransomware. The services include the following:
Antivirus and Endpoint Protection
Sophos
Symantec
McAfee
Avast
Defender
Malwarebytes
Windows Defender
BitDefender
Spyhunter
Kaspersky
SentinelOne
Backup and Recovery
Acronis
Symantec
Veeam
SQL Safe
Databases
Microsoft SQL Server
MySQL
https://www.halcyon.ai/blog/halcyon-identifies-new-ransomware-operator-volcano-demon-serving-up-lukalocker
Page 3 of 7

IBM DB2
Oracle
E-Mail Servers
Microsoft Exchange
Virtualization and Cloud
VMWare
BlueStripe
ProLiant
Remote Access and Monitoring
Alerter
Eventlog
UI0Detect
WinVNC4
Process Stop
Upon execution, unless “--sd-killer-off” is specified, LukaLocker immediately terminates some processes.  The processes
include the following:
Antivirus and Security Software
Symantec/Norton
McAfee
AVG
Kaspersky
Bitdefender
Trend Micro
Malware Bytes
System Monitoring and Management
VMware
Proficy
Microsoft
IBM
https://www.halcyon.ai/blog/halcyon-identifies-new-ransomware-operator-volcano-demon-serving-up-lukalocker
Page 4 of 7

BMC
Database and Storage Services
Microsoft SQL Server
Oracle
MySQL
Cloud and Remote Access Tools
TeamViewer
VNC
Google
Web Browsers
Firefox
Chrome
Office and Productivity Software
Microsoft Office
File Selection
The following directories are avoided during encryption:
Directories
tmp
temp
winnt
thumb
$Recycle.Bin
$RECYCLE.BIN
System Volume Information
Boot
Windows
Trend Micro
perflogs
https://www.halcyon.ai/blog/halcyon-identifies-new-ransomware-operator-volcano-demon-serving-up-lukalocker
Page 5 of 7

The following extensions are avoided, all others are included:
readme.txt
NBA_LOG.txt
.NBA
.exe
.dll
.lnk
.sys
.msi
.bat
File Encryption
The Chacha8 cipher is used for bulk data encryption. The Chacha8 key and nonce are randomly-generated, with the key
generated through the Elliptic-curve Diffie–Hellman (ECDH) key agreement algorithm over Curve25519. The ECDH file
public key and the nonce are stored in the footer.
The file itself allows for full encryption or partial supporting 100%, 50%, 20%, or 10% of the file data being encrypted. The
following is the footer that is used by the ransomware:
Offset Length (bytes) Description
0x00 32 File public key
0x20 8 Chacha Nonce
0x28 1
Encryption Mode byte code
0x24 – Whole file
0x25 – Intermittent
0x29 1
Encrypt Percentage
0x64 – 100%
0x32 – 50%
0x14 – 20%
0xA – 10%
0x2A 14 Padding
0x38 8 Last encrypted byte in file offset
0x40 8 Original File Size
https://www.halcyon.ai/blog/halcyon-identifies-new-ransomware-operator-volcano-demon-serving-up-lukalocker
Page 6 of 7

Offset Length (bytes) Description
0x48 16 Magic bytes
Halcyon.ai is the leading anti-ransomware company. Global 2000 companies rely on the Halcyon platform to defeat
ransomware with minimal business disruption through built-in bypass and evasion protection, key material capture,
automated decryption, and data exfiltration and extortion prevention – talk to a Halcyon expert today to find out more.
Halcyon also publishes a quarterly RaaS (Ransomware as a Service) and extortion group reference guide, Power Rankings:
Ransomware Malicious Quartile, and check out the Recent Ransomware Attacks resource site.
Source: https://www.halcyon.ai/blog/halcyon-identifies-new-ransomware-operator-volcano-demon-serving-up-lukalocker
https://www.halcyon.ai/blog/halcyon-identifies-new-ransomware-operator-volcano-demon-serving-up-lukalocker
Page 7 of 7