The two malware programs are so similar that it is difficult to distinguish their code, Symantec researchers said, noting that the only difference is the sleep command added to the RansomHub variant and the commands available for execution through the Windows command line shell cmd. exe. However, these instructions are configurable by the malware builder when the payload is generated, so it is not easy to change.
Even the text of the ransom note was copied almost verbatim from Knight’s with only the contact links changed and some minor editing. It is also possible that Knight/Cyclops itself is derived from other classic ransomware programs.
“A unique feature present in both Knight and RansomHub is the ability to restart the endpoint in safe mode before starting the encryption,” Symantec researchers said. “This technique was previously used by Snatch ransomware in 2019 and allows encryption to continue unblocked by the operating system or other security mechanisms. Snatch is also written in Go and has many of the same features, suggesting it could be another fork of the original source code used to develop Knight and RansomHub.”
Source link