TLDR: Cyclops ransomware rebranded as ‘Knight’ targets Windows machines’ files in industries around the world through a small network of vetted affiliates and users.
What is Knight?
In late July/ early August 2023 the Cyclops ransomware-as-a-service group resurfaced under the new branding of ‘Knight’ targeting multiple industries with no known motive other than monetary gains. Users of the service have been exploiting and exfiltrating data from users via phishing campaigns under the guise of TripAdvisor complaint emails amongst disguises.
Category: Malware
Type: Ransomware-as-Service(RaaS)
Method of Delivery(MoD): Email campaign
Industry/ Target: unspecified
Filetype: file extension ‘.knight_l’
Hashes: 5ace35adeb360b9e165e7c55065d12f192a3ec0ca601dd73b332bd8cd68d51fe 4f1e46ac9e46f019d3be3173f0541f5ed07bde6389180cd7e8255d35b49f812e other hashes here
Region: Worldwide
Region of Origin: Europe/ Russia(allegedly)
TTPs:
Upon being given access to the service, customers are given access to a distribution dashboard to start sending phishing emails and distributing encryption malware to their liking. A snippet of the dashboard:
The phishing campaigns send out fake TripAdvisor Complain(TripAdvisor_Complaint-Possible-Suspension.xll) links:
The Excel file creates an explorer.exe process that encrypts files and then gives them an extension of ‘.knight_l’:
Once victims' files are encrypted, they are left with instructions on how to regain access to their files:
Knight has victimized multiple organizations in Q4 2023, including the city of Defiance, Ohio, and healthcare organizations which could spell disaster for citizens and patients. It has not been reported that users are regaining access to their data after paying the ransom and there are no reported decryptors at the moment. Therefore, it is not advised that victims pay the ransom.
