On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants.
This edition of the Ransomware Roundup covers the Knight ransomware.
Affected platforms: Microsoft Windows
Impacted parties: Microsoft Windows
Impact: Encrypts and exfiltrates victims’ files and demands ransom for file decryption
Severity level: High
Knight is a relatively new ransomware group that arrived in August 2023. Like many attackers, the gang behind this variant employs double extortion tactics, where the Knight ransomware encrypts files on victims’ machines and exfiltrates data for extortion purposes.
The predecessor of Knight, Cyclops, had multi-OS tools for Windows, Linux, and Mac OS. So, while FortiGuard Labs had only located a Windows version of the Knight ransomware at the time of our investigation, it seems likely that other versions may be on the way.
According to an advisory by CERT Italy in early September, Knight targeted Italian organizations with phishing campaigns using emails with malicious attachments. The same was reported in early August by security researcher @felixw3000. In addition, Remcos and Qakbot malware are known to deliver the Knight ransomware to compromised machines.
According to data collected through Fortinet's FortiRecon service, the Knight ransomware group has targeted multiple industry verticals. While Retail was most affected by the Knight ransomware, the group also victimized organizations in healthcare, including hospitals, physicians’ clinics, and dental offices, indicating that the threat actor has no reservations about impacting people who need medical care.
When classifying victim organizations by country, the United States is in first place by a significant margin.
As of October 20, 2023, the Knight ransomware group had last posted new victims on October 18th.
Once a network has been compromised and data has been exfiltrated, files encrypted by the Knight ransomware are appended with a “.knight_l” file extension.
Because the Knight ransomware targets enterprises, the ransom fee is set at a relatively high price. However, the Bitcoin wallet in this ransom note had no recorded transactions at the time of our investigation.
The Knight ransomware group owns a TOR site where victims can contact the threat actor. Stolen information and a list of victims are also posted there.
The group also uses another TOR site for disclosing stolen data and has abused several publicly available file-sharing services, such as Mega, Gofile, and UploadNow.
Fortinet customers are already protected from these malware variants through our AntiVirus and FortiEDR services, as follows:
FortiGuard Labs detects the Knight ransomware samples with the following AV signature:
FortiGuard Labs detects the known Knight ransomware droppers with the following AV signature:
The FortiGuard AntiVirus service is supported by FortiGate, FortiMail, FortiClient, and FortiEDR. Fortinet EPP customers running current AntiVirus updates are also protected.
Known hosting sites of the Knight ransomware droppers are blocked by the Web filtering client.
SHA2 |
Note |
1112d8346ee413ac8aecaf5bc0dc5400041669116a5a596c6be2e24c6886849d |
Knight ransomware |
2bfababf54992c32afced15b355cf7fcf7c6b0783cfee9086e80893d5f5124ed |
|
3ed381014d25a9796bd6d007573b2abe152ee455738ae5f2288e5146726f3b2e |
|
3f029aee12d43e3c67c4ab07c43bcd0960fa9f6a371f40577004673ac95e870c |
|
40c6896d761595fe190e0fa891462bfb120579b6399bd28f40839c017a367538 |
|
4416ba60d11b0e8eafa07f3c3051c2d84ffcb5c860d458b6a1374fdc935e92f2 |
|
484414d68e1c3e79e602ed2876e963161916e21ea4e2c920da5cc623ea19731f |
|
50ce3d6e410f0f83c9407a572eb29733084fed94f5dacff59cea350bcccee27d |
|
581c6c58e6ea187e74bc23d8d0fa9feb7dc5cc2db4ca887afee5be229532e8e2 |
|
5ec48925f73ea58a27d6306d23d76b5da41e16754f58f26098ed36f0d1f198c8 |
|
6ff69b6e0f778aabf521a72a70c34274acfabc59a3472f7cba2372ebb8875d0f |
|
70d2891a1cb3b6172428ea9cdb5a81b0494deac02b7dee91527a17fb9f53509a |
|
712fc089cb028e381e285685519df357fb4102f8bc8de31547a9b98ca7629e49 |
|
7b4d227fddcc4e93ea0cdf017026ff2dad6efd6bc7de71b689dc0595a2a4fb4d |
|
7f99540993e2afc351776b85ea22661d3701743521d55d657abdb23e12c93c00 |
|
a6258d70bc0b5d5c87368c5024d3f23585790b14227b8c59333413082524a956 |
|
b586d60beb49b362d4cd9b8d64fc9a3eef3da76b0f494c42c4ac30d6612d8993 |
|
b5deec95d1f50229e1361ca47761b9742006f484cf1f2c31ba8a495afb814ae2 |
|
cb41bbbe053e7a9b4857bf89c92298e7c0abdf9da157185fcfec5b383fe1e62c |
|
cd92bf9c3349b086eec621de247bbb1bceebffb90863a46496c3b41fb13ec745 |
|
ce609604f4deb265ed957540b86ba96b33d26399c8d508110d78b0602f9d9d3a |
|
d256bb30d0609d0e3aa7f1b98077dda6136f2f3604beb71ec982d8125d2858ed |
|
e2af95e7827144a9278fcbb87fe8d9a4cfdb8f69b2f43f63c9e26aa6a33cc2ed |
|
e5f1f8f5b2b4304493f416b54324c0b0e0253ed07ee1f4512bbe184e32e4580a |
|
ecafd694118c4bcd21b4f7a620ed8a1346932f05acefe8cd32a01febec9a92d9 |
|
fba8fee602b5c3db46cbbb45ff2f8aa72791f47f8b8c6a556334d3d3358cebba |
|
1341bd6193ea223c05566aaca13fc1152732b67af8344519d6efaaf9ab6ed5f4 |
Knight ransomware dropper |
14ab9dc515dc22f0bbf5f3e44cc280e35331bf9209b6c4d35b86bfe3f32bcd23 |
|
167678eb9daa2376bd805069fac69c42b0ad0c6f70b9d644161970c1770c117f |
|
3bd52cefc9d88c5292275729ca096c131a5db8c77ec142493a066623270cb782 |
|
3fbedfb9ae1e9bcef7983491124e3a50937f9c5209b7cfc2614197a2e8045cfb |
|
4f1e46ac9e46f019d3be3173f0541f5ed07bde6389180cd7e8255d35b49f812e |
|
554990b8636baf5af393d52ce85150a8b263b9c5fb214bc0e69a1b032ee8f3ae |
|
5ace35adeb360b9e165e7c55065d12f192a3ec0ca601dd73b332bd8cd68d51fe |
|
5c0f3de1254bcad7f457ad1898df2fdbe44dc964b5e92fba125c19888481da75 |
|
5ed4dfb7da504438688d779092a717cb2426ee88bc4f0ee588b3e989b7567dff |
|
61bb91bc554d9b849cbd670669365bc5a58a8c5f9a0f530b8ed9a4b8f0968186 |
|
716341671eff8ca18c5f5bbf38095d07225141d02854168f854b168731b4c71c |
|
75e227a3a41dc1c2d4384e877d88f9a06437a49f2c71f8efa7e2cc60bab6cc4a |
|
7ec0d3e3dc4222f34c482926ce1f971b51929e95b9d097140bc1f4b1c84dafd9 |
|
9123e42cdd3421e8f276ac711988fb8a8929172fa76674ec4de230e6d528d09a |
|
a2c654357d790d7c4cec619de951649db31ecdb63935f38b11bb37f983ff58de |
|
b6064f6936f72d1312f40f86f0cb889c6d0477c20f59c6c96c385c6287f701f7 |
|
b94e28bc2e23eeff0d8c26334ef6c59d86a45fec37ffc83ab585d34019247355 | |
bb65532e8a52e282d98938031c0d75155082933524924d01de4246e12690cf9c |
|
c42ad519510936f14ab46fbad53606db8132ea52a11e3fc8d111fbccc7d9ab5a |
|
dbf9cc65461c7bc650938156d3751d4ae0ce4312d3899f747e590767c0ef0408 |
|
eedda61d02d8bd0e145a07e6048621fc84f420376e6cda2616c2d77d4fd4fe18 |
|
f2571431c9d8e87081816d46cda9bde8d98b081056fdc2114e88cbad2d544cec |
URL |
Note |
hxxp://89.23.96.203/333/1[.]exe |
Knight ransomware dropper location Knight ransomware dropper location |
hxxp://89.23.96.203/333/2[.]exe |
|
hxxp://89.23.96.203/333/3[.]exe |
|
hxxp://89.23.96.203/333/4[.]exe |
|
hxxp://89.23.96.203/333/6[.]exe |
|
hxxp://89.23.96.203/333/7[.]exe |
|
hxxp://89.23.96.203/333/8[.]exe |
|
hxxp://89.23.96.203/333/9[.]exe |
|
hxxp://89.23.96.203/333/92[.]exe |
|
hxxp://89.23.96.203/333/10[.]exe |
|
hxxp://89.23.96.203/333/2wrRR6sW6XJtsXyPzuhWhDG7qwN4es[.]exe |
|
hxxp://89.23.96.203/333/xwenxub285p83ecrzvft[.]exe |
|
hxxp://89.23.96.203/333/TmsLA6kdcU8jxKzpMvbUVweTeF5YcR[.]exe |
|
hxxp://89.23.96.203/333/cv4TCGxUjvS[.]exe |
Due to the ease of disruption, damage to daily operations, potential impact on an organization’s reputation, and the unwanted destruction or release of personally identifiable information (PII), etc., it is vital to keep all AV and IPS signatures up to date.
Since the majority of ransomware is delivered via phishing, organizations should consider leveraging Fortinet solutions designed to train users to understand and detect phishing threats:
The FortiPhish Phishing Simulation Service uses real-world simulations to help organizations test user awareness and vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted phishing attacks.
Our FREE NSE training: NSE 1 – Information Security Awareness includes a module on internet threats designed to help end users learn how to identify and protect themselves from various types of phishing attacks and can be easily added to internal training programs.
Organizations will need to make foundational changes to the frequency, location, and security of their data backups to effectively deal with the evolving and rapidly expanding risk of ransomware. When coupled with digital supply chain compromise and a workforce telecommuting into the network, there is a real risk that attacks can come from anywhere. Cloud-based security solutions, such as SASE, to protect off-network devices; advanced endpoint security, such as EDR (endpoint detection and response) solutions that can disrupt malware mid-attack; and Zero Trust Access and network segmentation strategies that restrict access to applications and resources based on policy and context, should all be investigated to minimize risk and to reduce the impact of a successful ransomware attack.
As part of the industry's leading fully integrated Security Fabric, delivering native synergy and automation across your security ecosystem, Fortinet also provides an extensive portfolio of technology and human-based as-a-service offerings. These services are powered by our global FortiGuard team of seasoned cybersecurity experts.
Organizations such as CISA, NCSC, the FBI, and HHS caution ransomware victims against paying a ransom partly because the payment does not guarantee that files will be recovered. According to a US Department of Treasury's Office of Foreign Assets Control (OFAC) advisory, ransom payments may also embolden adversaries to target additional organizations, encourage other criminal actors to distribute ransomware, and/or fund illicit activities that could potentially be illegal. For organizations and individuals affected by ransomware, the FBI has a Ransomware Complaint page where victims can submit samples of ransomware activity via their Internet Crimes Complaint Center (IC3).
FortiGuard Labs’ Emergency Incident Response Service provides rapid and effective response when an incident is detected. Our Incident Readiness Subscription Service provides tools and guidance to help you better prepare for a cyber incident through readiness assessments, IR playbook development, and IR playbook testing (tabletop exercises).
Additionally, FortiRecon Digital Risk Protection (DRP), is a SaaS-based service that provides a view of what adversaries are seeing, doing, and planning, to help you counter attacks at the reconnaissance phase and significantly reduce the risk, time, and cost of later-stage threat mitigation.