Summary:
A spam campaign has emerged, disguising itself as TripAdvisor complaints while distributing the newly rebranded Knight ransomware. Formerly known as Cyclop Ransomware-as-a-Service. The original Cyclops ransomware operation started recruiting affiliates on the RAMP hacking forum featuring encryptors for Windows, macOS, and Linux/ESXi, along with unusual information-stealing malware for Windows and Linux. The operation introduced a 'lite' version tailored for spam and large-scale distribution campaigns, omitting ransom negotiations in favor of a fixed ransom. Cyclops rebranded as Knight, upgrading the 'lite' encryptor to facilitate batch distribution and launching a new data leak site. However, no victim data has been posted on the Knight data leak site yet.
Researchers uncovered a fraudulent spam campaign posing as TripAdvisor complaints, while actually spreading the Knight ransomware. The emails contained ZIP file attachments labeled 'TripAdvisorComplaint.zip,' harboring an executable file named 'TripAdvisor Complaint - Possible Suspension.exe.' Subsequently, a newer version of the campaign was identified, incorporating an HTML attachment named 'TripAdvisor-Complaint-[random].PDF.htm.' When the HTML file is opened, it utilizes the Browser-in-the-Browser phishing technique to simulate a browser window resembling TripAdvisor. This faux browser window presents a fabricated restaurant complaint, encouraging users to review it. However, clicking 'Read Complaint' initiates the download of an Excel XLL file called 'TripAdvisor_Complaint-Possible-Suspension.xll,' developed using Excel-DNA to execute malware when launched.
The ransomware's attack vectors rely on Microsoft Excel's Mark of the Web (MoTW) feature. If the MoTW flag is detected, the .NET add-in in the Excel document remains disabled unless the user unblocks the file. If no MoTW flag is present, Excel prompts the user to enable the add-in. Enabling it injects the Knight Lite ransomware encryptor into a new explorer.exe process, initiating file encryption. The encrypted files are distinguished by the '.knight_l' extension. The ransomware produces a ransom note named 'How To Restore Your Files.txt' in each folder, demanding a $5,000 ransom paid to a Bitcoin address. The note also includes a link to the Knight Tor site. Notably, all ransom notes in this campaign refer to the same Bitcoin address preventing the attacker from determining who paid the ransom.
Since the campaign employs the Knight Lite version, no negotiation panel is displayed upon visiting the site. Instead, victims are instructed to have already paid the ransom and to contact the affiliate via Onion mail. It remains uncertain whether paying the ransom will lead to a decryptor provision from the Knight affiliate. Moreover, since the campaign's ransom notes share the same Bitcoin address, there's a risk of multiple victims unknowingly paying to the same address.
Threat Profile:
References:
The following reports contain further technical details: