Halcyon Identifies New Ransomware Operator Volcano Demon Serving Up LukaLocker

Halcyon researchers report on a new ransomware operator tracked as "Volcano Demon" deploying the LukaLocker encryptor (Windows and Linux variants) in recent attacks: the report details the malware's command-line options, ChaCha8 bulk encryption with Curve25519 ECDH key exchange and footer format, evasion tactics (service/process termination, excluded directories/extensions), IOCs (SHA256 hashes), evidence of data exfiltration for double-extortion, and extortion via direct phone calls to executives.