Knight ransomware is currently being disguised as counterfeit TripAdvisor complaint emails in the form of zipped EXE attachments or HTML files to ensnare unsuspecting victims. Once infected, victims’ systems are encrypted (locked), after which hackers demand a sum of $5,000 in Bitcoin for decryption (unlocking).
A Thursday tweet by Sophos researcher Felix first mentioned the new Knight Ransomware campaign — a rebrand of the Cyclops RaaS (Ransomware as a Service) group tool — and its low detection rate. This phishing campaign poses a significant threat to individuals, corporate networks, and venue owners.
‘TripAdvisorComplaint.zip’: The Ransomware Attachments
After downloading and opening the attached files, victims will be shown a fraudulent browser window that mimics a TripAdvisor interface. To do this, the malicious code uses independent penetration tester Mr. D0x’s Browser-in-the-Browser phishing technique, research from BleepingComputer showed. Subsequently, the window prompts victims to review a fake complaint by clicking the “Read Complaint” button. If clicked, a malicious Excel file will be downloaded onto the victim’s device, which will initiate the Knight ransomware encryption process when executed.
Post-compromise, victims won’t be able to access their files. Instead, they are met with a ransom note demanding Bitcoin for a decryption key. “The ransomware will […] create a ransom note named How To Restore Your Files.txt in each folder on the computer. The ransom note in this campaign demands $5,000 be sent to a listed Bitcoin address and also contains a link to the Knight Tor site,” BleepingComputer said.
Interestingly, Bleeping noted that multiple victims received the same Bitcoin address in their ransom directives. This muddles the payment process, as it is impossible to tell who has paid their ransom without a unique address. In theory, this would allow victims to claim others’ payments unjustly, although it is unknown whether paying the ransom results in being given a decryption key.
It’s important to reiterate that the Knight Lite ransomware encryptor has its roots in the Cyclops RaaS. This service made its debut in May 2023, undergoing a rebranding a few months down the line. Encryptors from this group are versatile and can target Windows, macOS, and Linux platforms.
Security Recommendations
A June 2023 report by Uptycs delved into the Cyclops threat group and emphasized the importance of caution. Like with any form of phishing, it is important to exercise skepticism with unsolicited emails and be especially wary of attachments or links, even if they seem to originate from familiar sources.
Similarly, to guard against any type of ransomware, regular backups of vital data, up-to-date security software, and robust network monitoring are pivotal. Also, implementing multi-factor authentication for crucial systems will boost your defenses, providing an added layer of security against unauthorized access attempts.
VPNOverview recommends you use a powerful antivirus and a VPN (virtual private network) while browsing to stay secure and anonymous. We’ve reviewed various security packages that will suit this purpose. We also urge users to maintain password hygiene across all accounts to further aid in ransomware defense.
For more ransomware news, follow us on Twitter, Threads, and Mastodon!
