A spam campaign is currently underway, using the Knight ransomware strain disguised as fake TripAdvisor complaints. Knight is a new version of the Cyclops ransomware, which was previously defunct, and does not currently have any listed victims on its site.
Explanation: In an ongoing spam campaign, the Knight ransomware strain is being distributed through fake TripAdvisor complaints. The ransomware, reportedly a new version of the Cyclops ransomware, is packaged in a file that impersonates these complaints. It is important to note that the ransomware does not have any listed victims on its site.
The campaign works by using an HTML attachment that redirects users to a fake browser window appearing to be TripAdvisor. This window prompts users to review a complaint supposedly submitted to a restaurant. When the user clicks on the “Read Complaint” button, an Excel file is downloaded, leading to the execution of the ransomware.
The Knight ransomware has gained attention since July when the gang behind it revamped the panel and program of the previously defunct Cyclops ransomware. The operation recruits affiliates to steal data from Windows and Linux systems. Additionally, the ransomware offers a “lite” version, which is used in spam, pray-and-spray, and batch distribution campaigns.
Once the ransomware encrypts files on targeted computers, it appends the “.knight_1” extension to their names. A ransom note is created in each folder, demanding a payment of $5,000 to a provided Bitcoin address.
Rebranding ransomware is a common tactic used by cybercriminals to expand their attacks while remaining undetected. While Knight ransomware is a recent example, there have been previous reports of similar incidents. It is highly recommended to follow mitigation programs launched by the CISA to detect and remediate vulnerabilities exploited in ransomware attacks.