This Fortiguard article in the Ransomware Roundup covers the Knight ransomware.
Knight Ransomware Overview:
Knight is a relatively new ransomware group that arrived in August 2023. Like many attackers, the gang behind this variant employs double extortion tactics, where the Knight ransomware encrypts files on victims’ machines and exfiltrates data for extortion purposes.
The predecessor of Knight, Cyclops, had multi-OS tools for Windows, Linux, and Mac OS. So, while FortiGuard Labs had only located a Windows version of the Knight ransomware at the time of our investigation, it seems likely that other versions may be on the way.
Infection Vector: According to an advisory by CERT Italy in early September, Knight targeted Italian organizations with phishing campaigns using emails with malicious attachments. The same was reported in early August by security researcher @felixw3000. In addition, Remcos and Qakbot malware are known to deliver the Knight ransomware to compromised machines.
Victimology: According to data collected, the Knight ransomware group has targeted multiple industry verticals. While Retail was most affected by the Knight ransomware, the group also victimized organizations in healthcare, including hospitals, physicians’ clinics, and dental offices, indicating that the threat actor has no reservations about impacting people who need medical care. When classifying victim organizations by country, the US is in first place by a significant margin.
Figure 1: Top sectors targeted by Knight ransomware (source: FortiRecon).
Figure 2: Top countries targeted by Knight ransomware (source: FortiRecon).
As of October 20, 2023, the Knight ransomware group had last posted new victims on October 18th.
Knight Ransomware Execution: Once a network has been compromised and data has been exfiltrated, files encrypted by the Knight ransomware are appended with a “.knight_l” file extension.
Figure 3: File encrypted by the Knight ransomware and its ransom note.
It then drops a ransom note labeled, “How To Restore Your Files.txt.”
Figure 4: Ransom note dropped by the Knight ransomware.
Because the Knight ransomware targets enterprises, the ransom fee is set at a relatively high price. However, the Bitcoin wallet in this ransom note had no recorded transactions at the time of our investigation.
Data Leak Site: The Knight ransomware group owns a TOR site where victims can contact the threat actor. Stolen information and a list of victims are also posted there.
Figure 5: Top page of the Knight ransomware’s data leak site.
Figure 6: Post regarding a victim with ongoing negotiation.
Figure 7: Post on one of the Knight ransomware victims.
The group also uses another TOR site for disclosing stolen data and has abused several publicly available file-sharing services, such as Mega, Gofile, and UploadNow.
Figure 8: Locations of the data stolen and leaked by the Knight ransomware group.
IOCs
File IOCs
|
SHA2 |
Note |
|
1112d8346ee413ac8aecaf5bc0dc5400041669116a5a596c6be2e24c6886849d |
Knight ransomware |
|
2bfababf54992c32afced15b355cf7fcf7c6b0783cfee9086e80893d5f5124ed |
|
|
3ed381014d25a9796bd6d007573b2abe152ee455738ae5f2288e5146726f3b2e |
|
|
3f029aee12d43e3c67c4ab07c43bcd0960fa9f6a371f40577004673ac95e870c |
|
|
40c6896d761595fe190e0fa891462bfb120579b6399bd28f40839c017a367538 |
|
|
4416ba60d11b0e8eafa07f3c3051c2d84ffcb5c860d458b6a1374fdc935e92f2 |
|
|
484414d68e1c3e79e602ed2876e963161916e21ea4e2c920da5cc623ea19731f |
|
|
50ce3d6e410f0f83c9407a572eb29733084fed94f5dacff59cea350bcccee27d |
|
|
581c6c58e6ea187e74bc23d8d0fa9feb7dc5cc2db4ca887afee5be229532e8e2 |
|
|
5ec48925f73ea58a27d6306d23d76b5da41e16754f58f26098ed36f0d1f198c8 |
|
|
6ff69b6e0f778aabf521a72a70c34274acfabc59a3472f7cba2372ebb8875d0f |
|
|
70d2891a1cb3b6172428ea9cdb5a81b0494deac02b7dee91527a17fb9f53509a |
|
|
712fc089cb028e381e285685519df357fb4102f8bc8de31547a9b98ca7629e49 |
|
|
7b4d227fddcc4e93ea0cdf017026ff2dad6efd6bc7de71b689dc0595a2a4fb4d |
|
|
7f99540993e2afc351776b85ea22661d3701743521d55d657abdb23e12c93c00 |
|
|
a6258d70bc0b5d5c87368c5024d3f23585790b14227b8c59333413082524a956 |
|
|
b586d60beb49b362d4cd9b8d64fc9a3eef3da76b0f494c42c4ac30d6612d8993 |
|
|
b5deec95d1f50229e1361ca47761b9742006f484cf1f2c31ba8a495afb814ae2 |
|
|
cb41bbbe053e7a9b4857bf89c92298e7c0abdf9da157185fcfec5b383fe1e62c |
|
|
cd92bf9c3349b086eec621de247bbb1bceebffb90863a46496c3b41fb13ec745 |
|
|
ce609604f4deb265ed957540b86ba96b33d26399c8d508110d78b0602f9d9d3a |
|
|
d256bb30d0609d0e3aa7f1b98077dda6136f2f3604beb71ec982d8125d2858ed |
|
|
e2af95e7827144a9278fcbb87fe8d9a4cfdb8f69b2f43f63c9e26aa6a33cc2ed |
|
|
e5f1f8f5b2b4304493f416b54324c0b0e0253ed07ee1f4512bbe184e32e4580a |
|
|
ecafd694118c4bcd21b4f7a620ed8a1346932f05acefe8cd32a01febec9a92d9 |
|
|
fba8fee602b5c3db46cbbb45ff2f8aa72791f47f8b8c6a556334d3d3358cebba |
|
|
1341bd6193ea223c05566aaca13fc1152732b67af8344519d6efaaf9ab6ed5f4 |
Knight ransomware dropper |
|
14ab9dc515dc22f0bbf5f3e44cc280e35331bf9209b6c4d35b86bfe3f32bcd23 |
|
|
167678eb9daa2376bd805069fac69c42b0ad0c6f70b9d644161970c1770c117f |
|
|
3bd52cefc9d88c5292275729ca096c131a5db8c77ec142493a066623270cb782 |
|
|
3fbedfb9ae1e9bcef7983491124e3a50937f9c5209b7cfc2614197a2e8045cfb |
|
|
4f1e46ac9e46f019d3be3173f0541f5ed07bde6389180cd7e8255d35b49f812e |
|
|
554990b8636baf5af393d52ce85150a8b263b9c5fb214bc0e69a1b032ee8f3ae |
|
|
5ace35adeb360b9e165e7c55065d12f192a3ec0ca601dd73b332bd8cd68d51fe |
|
|
5c0f3de1254bcad7f457ad1898df2fdbe44dc964b5e92fba125c19888481da75 |
|
|
5ed4dfb7da504438688d779092a717cb2426ee88bc4f0ee588b3e989b7567dff |
|
|
61bb91bc554d9b849cbd670669365bc5a58a8c5f9a0f530b8ed9a4b8f0968186 |
|
|
716341671eff8ca18c5f5bbf38095d07225141d02854168f854b168731b4c71c |
|
|
75e227a3a41dc1c2d4384e877d88f9a06437a49f2c71f8efa7e2cc60bab6cc4a |
|
|
7ec0d3e3dc4222f34c482926ce1f971b51929e95b9d097140bc1f4b1c84dafd9 |
|
|
9123e42cdd3421e8f276ac711988fb8a8929172fa76674ec4de230e6d528d09a |
|
|
a2c654357d790d7c4cec619de951649db31ecdb63935f38b11bb37f983ff58de |
|
|
b6064f6936f72d1312f40f86f0cb889c6d0477c20f59c6c96c385c6287f701f7 |
|
|
b94e28bc2e23eeff0d8c26334ef6c59d86a45fec37ffc83ab585d34019247355 |
|
|
bb65532e8a52e282d98938031c0d75155082933524924d01de4246e12690cf9c |
|
|
c42ad519510936f14ab46fbad53606db8132ea52a11e3fc8d111fbccc7d9ab5a |
|
|
dbf9cc65461c7bc650938156d3751d4ae0ce4312d3899f747e590767c0ef0408 |
|
|
eedda61d02d8bd0e145a07e6048621fc84f420376e6cda2616c2d77d4fd4fe18 |
|
|
f2571431c9d8e87081816d46cda9bde8d98b081056fdc2114e88cbad2d544cec |
Network IOCs
|
URL |
Note |
|
hxxp://89.23.96.203/333/1[.]exe |
Knight ransomware dropper location
Knight ransomware dropper location |
|
hxxp://89.23.96.203/333/2[.]exe |
|
|
hxxp://89.23.96.203/333/3[.]exe |
|
|
hxxp://89.23.96.203/333/4[.]exe |
|
|
hxxp://89.23.96.203/333/6[.]exe |
|
|
hxxp://89.23.96.203/333/7[.]exe |
|
|
hxxp://89.23.96.203/333/8[.]exe |
|
|
hxxp://89.23.96.203/333/9[.]exe |
|
|
hxxp://89.23.96.203/333/92[.]exe |
|
|
hxxp://89.23.96.203/333/10[.]exe |
|
|
hxxp://89.23.96.203/333/2wrRR6sW6XJtsXyPzuhWhDG7qwN4es[.]exe |
|
|
hxxp://89.23.96.203/333/xwenxub285p83ecrzvft[.]exe |
|
|
hxxp://89.23.96.203/333/TmsLA6kdcU8jxKzpMvbUVweTeF5YcR[.]exe |
|
|
hxxp://89.23.96.203/333/cv4TCGxUjvS[.]exe |
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5993554863383553632
Comments