New ransomware group uses phone calls to pressure victims, researchers say

Researchers say they have discovered a new ransomware group named Volcano Demon that has carried out at least two successful attacks in the past two weeks.

The group’s targets were companies in the manufacturing and logistics industries, said Tim West, an analyst at the cybersecurity firm Halcyon, in a comment to Recorded Future News. He declined to provide further information about the targets.

What’s interesting about this ransomware group, Halcyon researchers said, is that it has no public leaks website but instead uses phone calls to intimidate and negotiate payments with leadership at victim organizations. These calls originate from unidentified numbers and often carry a threatening tone, the researchers said.

Before calling, the hackers encrypted files on the victims’ systems with previously unknown LukaLocker ransomware and left a ransom note:

“If you ignore this incident…we will make sure that your clients and partners know about everything, and attacks will continue. Some of the data will be sold to scammers who will attack your clients and employees,” the note reads.

Volcano Demon successfully locked Windows workstations and servers by exploiting common administrative credentials obtained from the network, Halcyon said.

The group used a double extortion technique to maximize the chances of receiving payment, Halcyon said. Prior to the LukaLocker infection, they exfiltrated victims’ data to command-and-control (C2) services and only then encrypted it.

Tracking this threat actor was challenging, researchers said. The attackers cleared log files on targeted machines  before exploitation, “making a comprehensive forensic evaluation nearly impossible.” 

West told Recorded Future News that the hackers spoke “with a heavy accent” but it was too difficult to tell their origin without recordings, which aren’t available to date.

“They call very frequently, almost daily in some cases,” he said, adding that the company cannot share the specifics of the exchange between the hackers and the victims.

It is not yet clear if Volcano Demon operates independently or is an affiliate of a known ransomware group. West said that for now, Halcyon has not been able to identify such links.

Ransomware operators continue to evolve, with several new threat actors recently emerging and targeting a diverse range of industries, according to Halcyon.

In May 2024, researchers discovered a criminal gang named Arcus Media, which operates a ransomware-as-a-service model, allowing other threat actors to use their malware. Over the past month, the hackers reportedly targeted victims in the U.S., the U.K., India and Brazil.

Another group, Space Bears, surfaced earlier in April, “quickly gaining notoriety for their corporate-themed data leak site and strategic affiliations,” including with the Phobos ransomware-as-a-service group.

The analysis of these groups’ activities suggests that they “may be more organized and funded than previously anticipated,” researchers said.