Ransomware Gangs Dial Up the Pressure with Phone Negotiations

In a surprising twist on traditional ransomware tactics, a new cybercriminal group known as Volcano Demon has been conducting negotiations with their corporate victims over the phone. This unconventional approach has added a new layer of intimidation and unpredictability to the already high-stakes world of ransomware attacks.

Unmasking the Volcano Demon: A Chilling New Ransomware Threat

Bypassing the Dark Web, Embracing Old-School Tactics

Typically, ransomware gangs rely on the anonymity of the dark web to extort their victims, demanding payment in exchange for decryption keys or the promise of not leaking stolen data. However, the Volcano Demon group has taken a different approach, forgoing the creation of a dark web site to publish leaked data. Instead, they conduct their negotiations directly with victims over the phone.This unexpected tactic has significant implications for targeted organizations. Unlike the impersonal nature of a ransom note or email, a phone call from an unidentified number can be far more intimidating and unsettling. Employees outside the cybersecurity team may find themselves unexpectedly thrust into the role of negotiator, a position for which they may be ill-prepared.

Threats, Accents, and the Unpredictable Nature of Phone Negotiations

The Volcano Demon group's phone calls are described as "threatening in nature," with the attackers using "heavy accents" that have made it difficult to pinpoint their geographic origin. This added layer of uncertainty and potential for escalation can further complicate the already high-stakes situation.In a traditional ransomware scenario, the victim organization can typically designate a specific team or individual to handle negotiations. However, with phone calls coming at any time, to any number within the organization, the ability to maintain control and consistency in the response becomes significantly more challenging.

Exfiltration and Extortion: A Dual-Pronged Approach

The Volcano Demon group's tactics go beyond just encrypting the victim's data. Prior to the encryption, they also exfiltrate, or steal, the data from the organization's network. This means that even if the ransom is paid and the data is decrypted, the attackers can still threaten to release or sell the stolen information, adding further pressure and potential consequences for the victim.The ransom note left by the Volcano Demon group leaves no ambiguity about their intentions, clearly stating that the stolen data will be made "widely available to the public" and that "attacks will continue" if the ransom is not paid. This dual-pronged approach of encryption and data theft significantly increases the stakes for the targeted organizations.

Tracing the Calls: A Potential Advantage for Law Enforcement

While the Volcano Demon group has so far used unidentified caller-ID numbers to make their phone calls, security researchers believe that this approach may ultimately work to the advantage of law enforcement. Unlike the anonymity of the dark web, the use of phone calls could provide valuable clues and evidence that could aid in the investigation and potential identification of the attackers.As the cybersecurity landscape continues to evolve, the Volcano Demon group's tactics serve as a stark reminder of the need for organizations to remain vigilant and prepared for the ever-changing threats posed by ransomware gangs. The ability to adapt and respond effectively to these unconventional methods will be crucial in mitigating the impact of such attacks.