It happens very often nowadays to witness the sudden disappearance of ransomware groups that have been active for only a few months. In the last three years, we have counted at least twenty of them that have “vanished from the radar” of journalists and researchers. Some of these have decided, in complete silence, to rebrand, while others have publicized it through their own leak website. One of these groups that chose to do it “in broad daylight” is Cyclops, which, from its blog in late July 2023, announced its “new brand”: Knight version 2.0
From September 2023 to the present, Knight has published information on 43 victims on its blog, but a member of the group has informed us that the actual number of affected victims is much higher, although the exact number was not specified.
Knight is a Ransomware-as-a-Service (RaaS) group that employs the double extortion methodology. In this approach, their affiliates have complete control over every action taken against their victims, from identifying the name and nationality of the targeted entity to determining the ransom amount requested for the decryption of exfiltrated files. Knight has stated that it has never interfered with the activities of its affiliates, even during negotiations, unless the affiliate specifically requested their intervention.
We do not target any particular country and all actions are initiated by our affiliates.
We do not intervene in any negotiations unless requested to do so by our affiliates.
Furthermore, we also know that in the first four months of its existence, Knight granted its affiliates complete freedom to target victims across various sectors, including the medical-hospital sector, education, telecommunications, industry, and finance. However, in recent weeks, affiliates have been prohibited from targeting two specific entities: public medical-hospitals and government entities.
We believe that this decision to refrain from targeting these two types of entities is primarily driven by a self-interest motive—to maintain a low profile and avoid drawing the attention of law enforcement. However, we hope, perhaps naively, that at least in the case of medical-hospitals, the reasons are primarily related to the protection of patients’ health.
We are aware of at least two variants of the ransomware, one of which is described as the “lite version”. This version is mainly used for spam/phishing campaigns, such as the one observed last August targeting TripAdvisor and its customers through emails containing false complaints, as discovered by security researcher Felix from Sophos.
It can be confirmed that the design of the “lite version” was created by a Knight affiliate, while the ransomware group provided the locker. Infected machines can be identified by the extension added to encrypted files, .knight_l, where “l” stands for “lite”. A peculiar feature found in all ransomware notes we have examined is the intentionally unusual ransom amount randomly generated by the version written by the Knight affiliate. The ransom notes always include a different BTC wallet, all of which currently show no transactions.
“US $14052 in Bitcoin is the price for restoring all of your data,”
or
“US $14493 in Bitcoin is the price for restoring all of your data,”
or
“US $18991 in Bitcoin is the price for restoring all of your data.”
or
“US $18947 in Bitcoin is the price for restoring all of your data.”
or
“US $17957 in Bitcoin is the price for restoring all of your data.”
In the past few days, we reached out to the group, requesting an interview. We opted not to ask technical questions, as detailed technical profiles of the Knight group had already been published on other professional websites. Instead, our aim was to pose non-technical questions to the ransomware group, providing readers with a different perspective on understanding the less technical aspects of a ransomware group.
SuspectFile: The first samples of Knight were detected and analyzed in May 2023, but we know that they are nothing more than the evolution of the Cyclops ransomware. From the conducted analyses, strong similarities with parts of the Babuk and LockBit 2.0 code have emerged. In the recent past, you claimed to have connections with these two groups; can you elaborate on that?
Knight: We don’t claim to have anything to do with them, it’s some media nonsense they’re reporting to get attention, and we have a completely different code than they do and use a different development language
SuspectFile: Even in the “Knight” version, the targeted platforms are Windows, MacOS, Linux/EXSi. Among these, which do you consider the most vulnerable platform to your attacks?
Knight: Windows
SuspectFile: In the “Cyclops” version, you used Curve25519, HC-256, ChaCha20 for encrypting data on Windows machines. Does Knight use the same encryption structure, or have you further improved it, although we believe that the one in Cyclops was already of a high standard?
Knight: We’ve upgraded the encryption a bit, but the encryption algorithm hasn’t changed, it’s just smarter
SuspectFile: What can you tell us about the phishing campaigns you conducted in Italy? This seems to be an unconventional attack methodology for a Ransomware Group. Do you believe this type of attack might become a trend used by other groups in the future?
Knight: This is entirely initiated by our affiliates, we simply provide the locker
SuspectFile: We observed samples written in both C++ and Go. What is the reason, if any, for this diversity in coding?
Knight: There is no particular reason for this, as there are so many versions to be developed that we have different coders, and the person responsible for maintenance develops in the language they know best.
SuspectFile: In the analysis of some samples conducted in the Italian laboratories of CERT-AGID, it was found that data encryption operations are blocked if the detected machine language (via GetSystemDefaultUILanguage and GetUserDefaultUILanguage) belongs to the CIS block or Chinese and Arabic-speaking countries. Can we define Knight as a politically motivated group, or is this another tactic to obfuscate the attribution of your country of origin, as seen in the past with other groups?
Knight: There’s no political agenda. We just need the money.
SuspectFile: Returning to the phishing campaigns, many were targeted at private users. This distribution model of malware can be considered “quite open,” where anyone who acquired it could disseminate it without specific technical knowledge. Is your group reorganized with the sole purpose of “business at any cost,” akin to when the LockBit code was made public?
Knight: Can’t tell you much more than that, all I can tell you is that we have a lot of experienced coders and we are constantly upgrading our panels and lockers!
SuspectFile: How would you define your group, then?
Knight: We are like most teams, we just need to make money, maybe the only difference is that we hope we can survive in this industry for a long time
SuspectFile: The names listed on your blog don’t seem to include “important victims.” Is the choice not to target strategic objectives aimed at maintaining a low profile and, consequently, avoiding attention from law enforcement?
Knight: It’s all done by the affiliates, we don’t interfere.
SuspectFile: You have disclosed about 40 victims from August 2023 to January 2024. However, how many victims have there actually been to date?
Knight: Most of them are not made public, mainly because we try to help affiliates sell the target’s data after negotiations with the target have failed, and we only make it public when no one buys it, so well over 40
SuspectFile: As Italian researchers, we are particularly interested in the ransomware phenomenon affecting entities in our country. It seems that, like some other groups, Italy is a state on which you and your affiliates focus attention. Is there a valid reason, or do you think that Italian IT infrastructures are less effectively protected?
Knight: There is no particular concern that Italians don’t have the sense to protect their privacy, and not paying for it might generate a lot of fraud because their data will be on the underground market.
SuspectFile: Your goals span various fields: medicine, education, industry, telecommunications, finance. Only once, at least from what you report, have you targeted a government institution. What is the motivation behind this—low likelihood of a government institution paying the ransom, or is the reason also to avoid drawing attention from law enforcement?
Knight: We don’t interfere with everyone’s activities, so we can’t give you a definitive answer to this question
SuspectFile: We ask every ransomware group about the relationship they have with their affiliates. SuspectFile.com has read hundreds of negotiation chats involving different groups over the years. In several cases, communication problems emerged during negotiations. The victim requested concrete proof of data breach and file tree, but the operator couldn’t respond because all the data was in the hands of the affiliate who attacked the victim. Don’t you think these situations can undermine the credibility and reliability of a ransomware group?
Knight: We have some requirements for our affiliates, if they can’t fulfill them in the agreement, we will stop cooperation with them, the target of requesting the file tree is usually not willing to pay, because they just want to know what files they have leaked and work out the remedial measures, so we understand the affiliates who can’t provide the file tree, we usually ask them to provide the data firstly and we will In general, we first ask them to provide the data and we will store it, if after the target pays, similar data still appears on the market and the affiliate can’t give us a reasonable explanation, we will also stop the cooperation.
SuspectFile: In the recent past, some well-known ransomware groups disbanded for various reasons, including total disagreement on some “guidelines” imposed by the group’s leaders. Did the Ransomware Group Knight (Cyclops) also originate from the dissolution of other groups, or did you, as happened with many others, decide as an affiliate that it was time to get to work?
Knight: We have some rules, other than that we don’t have strict requirements, disbanding maybe because their team structure is too complicated, our team has been working with each other for many years so we won’t disband, we’ll keep it running even if it doesn’t make us enough money.
SuspectFile: Do you also believe, as confirmed by other groups, that some cybersecurity companies on which companies rely as “negotiators” will eventually secretly reach an agreement with the ransomware group? Has this ever happened to you?
Knight: Negotiators from cybersecurity companies are more specialized because there are some things they can understand better, but again I still think it’s perfect for Target to approach us on their own because there are some cybersecurity companies that will take the majority of money
SuspectFile: In fact, most companies in any sector invest little or nothing in cybersecurity. Besides that, what are the main shortcomings that companies should address, given that very often (also in your case), the main entrance to corporate IT systems is unknowingly opened by poorly trained personnel (referring, for example, to phishing emails)?
Knight: There is no such thing as an absolutely secure network.
SuspectFile: What do you think about the release of the LockBit code and the increasing number of new groups emerging due to this data leak? Groups formed, very often, by very young individuals without programming knowledge?
Knight: They don’t have the ability to make updates and upgrades, which in turn disrupts the market, and they can’t even provide the decryptor for the target company after they get the money, that’s why many mature teams still seek to cooperate with us, because we will be the first to solve the problem whenever it arises.
SuspectFile: What reasons, if any, in addition to money and your skills, have motivated you to take this path in your life?
Knight: Maybe it’s the desire to build a perfect product, my team and I want to be the best in a certain industry, and in the end the willingness to choose this industry maybe because we find it more interesting here
SuspectFile: When you target a medical entity or a healthcare provider, do you proceed with encrypting the data in addition to extracting it?
Knight: 3 weeks ago, we updated our rules to prohibit encryption of nonprofit hospitals and government agencies
Update: 1/27/2024
In the past few hours, with the Ransomware Group Knight, we wanted to delve deeper into the issue of attacks on medical-hospital facilities. We asked them again if the prohibition imposed on their affiliates exclusively pertained to public facilities, thus leaving affiliates with complete freedom of action towards private ones.
They confirmed that no public hospital providing emergency services or having surgical departments, for example, will be targeted by ransomware attacks.
SuspectFile: So, do you confirm that the prohibition on targeting medical-hospital entities applies exclusively to public facilities?
Knight: Non-profit healthcare organizations, we have notified them that encryption is prohibited, and if certain organizations experience such an attack, we will be ready to provide decryptors. Perhaps our understanding is different, this does not include for-profit organizations involved in plastic surgery and the like, but it does include equipment for first aid as well as surgery, etc. If they can provide proof of urgency, we will resolve the issue within 24 hours.
All actions involving life, children and the elderly are prohibited. We have communicated the ban to the affiliates, and we cleaned up 2 affiliates that were not following the rules.
In October of last year, a Knight affiliate had targeted the private Argentine hospital, Hospital Italiano de Buenos Aires. The ransomware group subsequently published over 21 GB of sensitive data exfiltrated during the attack on the hospital’s servers, data that is still available on their website.
We believe and hope that after more than two months, the hospital has managed to restore the entire computer network.
SuspectFile:We had read a few months ago that one of your affiliates had targeted an Argentine hospital, but it was your intention to provide the decryption program. Can you tell us what’s true about all of this?
Knight: If they reach out to us, we’ll provide them with the decryptor.