The Knight ransomware has adopted a deceptive guise by orchestrating an ongoing spam campaign that cleverly poses as TripAdvisor complaints. This intricate ploy conceals its malicious intent, with the ransomware itself being a revamped version of the Cyclop Ransomware-as-a-Service. The re-branding took place at the close of July 2023, marking a shift from its previous identity.
The origins of this ransomware variant trace back to the emergence of the Cyclops ransomware operation in May 2023. This venture embarked on recruiting affiliates via the RAMP hacking forum to partake in the novel ransomware-as-a-service (RaaS) enterprise. An intriguing aspect of this operation was its provision of encryption tools compatible with various systems, including Windows, macOS, and Linux/ESXi. This was accompanied by an unconventional addition to its arsenal—an information-stealing malware tailored for both Windows and Linux. Furthermore, the operation introduced a 'lite' version of its encryptor, engineered for spam-driven mass distribution campaigns. Remarkably, this 'lite' variant incorporated a fixed ransom amount, diverging from the customary victim negotiation approach seen in RaaS endeavors. Transitioning into the Knight ransomware, formerly Cyclops, witnessed a transition that introduced an augmented 'batch distribution' feature within the lite encryptor, accompanied by the launch of a new data leak site. However, despite these developments, the Knight data leak site remains void of any victim-related information or pilfered files.
Knight Ransomware Signatures
Family: Ransom:Win64/FileCoder!MSR
MD5: 0466d2952a01e41b5f8025e7f7c1e122
SHA256: 5ace35adeb360b9e165e7c55065d12f192a3ec0ca601dd73b332bd8cd68d51fe
Knight Ransomware Download