Knight Ransomware Gives Cyclops a Fresh Coat of Paint

The Cyclops ransomware has undergone a rebranding and now goes by the name Knight ransomware. This classification of malware is designed with the intention of encrypting files and subsequently demanding ransoms for the decryption of those files.

Upon running a Knight ransomware sample on our testing system, it initiated the process of encrypting files and added a ".knight_l" extension to their original filenames. For instance, a file initially labeled as "1.jpg" would be transformed into "1.jpg.knight_l," and "2.png" would become "2.png.knight_l," and so forth. Furthermore, a ransom note titled "How To Restore Your Files.txt" was placed into each folder containing encrypted files on the system.

It's important to note that the group behind Knight operates it as a Ransomware-as-a-Service, and these threat actors also provide malware designed for stealing information. Consequently, there's a potential for these ransomware attacks to involve a dual-extortion component. The variant we examined mentioned the utilization of such strategies.

The ransom note associated with Knight ransomware notifies the victim that their organizational files and documents have been encrypted. According to the message, the only feasible means of data recovery is by making a payment to the attackers. The specified ransom amount is 5000 USD in the form of Bitcoin cryptocurrency, and this demand is non-negotiable.

Once the payment is completed, the victim is instructed to establish contact with the cybercriminals and furnish evidence of the transaction. Furthermore, the message contains a cautionary statement that failure to meet the ransom demands within a four-day period will result in the sale of business-related information stolen from the compromised system.

Knight Ransom Note Demands $5000 in Bitcoin

The complete text of the Knight ransom note reads as follows:

All your documents, company files, images, etc (and there are a lot of company data) have been encrypted and the extension has been changed to .knight_l .

The recovery is only possible with our help.

US $5000 in Bitcoin is the price for restoring all of your data. This is the average monthly wage for 1 employee in your company. So don't even think about negotiating. That would only be a waste of time and you will be ignored.

Send the Bitcoin to this wallet:14JJfrWQbud8c8KECHyc9jM6dammyjUb3Z (This is your only payment address, please don't pay BTC to other than this or you won't be able to get it decrypted!)

After completing the Bitcoin transaction, send an email at: - (Download and install TOR Browser (hxxps://www.torproject.org/).[If you don't know how to use it, do a Google search!]).You will get an answer as soon as possible.

I expect a message from you with the transfer of BTC Confirmation (TXID). So we can move forward to decrypt all your data. TXID is very important because it will help us identify your payment and connect it to your encrypted data.Do not use that I am here to waste mine or your time.

How to buy the BTC?

hxxps://www.binance.com/en/how-to-buy/bitcoin

hxxps://www.coinbase.com/how-to-buy/bitcoin

Note:

Your data are uploaded to our servers before being encrypted,

Everything related to your business (customer data, POS Data, documents related to your orders and delivery, and others).

If you do not contact us and do not confirm the payment within 4 days, we will move forward and will announce the sales of the extracted data.

ID: -

Why Do Ransomware Actors Rebrand Their Malware?

Ransomware actors often rebrand their malware for several strategic reasons:

• Evasion of Detection: Security researchers and antivirus software constantly work to identify and neutralize known ransomware strains. By rebranding, ransomware actors can evade detection by temporarily masking their activity under a new name. This allows them to exploit security gaps and buy time to infiltrate systems before security measures catch up.
• Fresh Approach: Rebranding provides ransomware actors with an opportunity to adopt new tactics, techniques, and procedures (TTPs). They might change encryption methods, payment mechanisms, or even introduce new attack vectors. This fresh approach can catch victims and security professionals off guard, increasing the likelihood of successful attacks.
• Avoiding Notoriety: Infamous ransomware strains often attract more attention from law enforcement, security companies, and media outlets. Rebranding allows ransomware operators to shed the notoriety associated with their previous attacks and start anew with a clean slate.
• Misdirection: By using a new name, ransomware actors can lead investigators and cybersecurity experts on a wild goose chase, diverting resources away from tracking their actual operations. This misdirection can make it harder for defenders to accurately attribute attacks to specific groups.
• Confusion and Disarray: A new name can lead to confusion in the cybersecurity community. Analysts may initially treat the rebranded ransomware as an entirely new threat, delaying a comprehensive response and giving the attackers time to inflict damage.
• Rebuilding Trust: If a particular ransomware strain has garnered a reputation for not providing decryption keys even after payment, rebranding can help the attackers appear more trustworthy. Victims may believe that this "new" group will honor their end of the ransom deal.
• Changing Targets: Ransomware actors may decide to shift their focus from one industry or sector to another. Rebranding can assist in creating a new image that better aligns with their desired target audience.