Alarm in Europe: Knight ransomware spread via false invoices

Over the past few days, the monitoring activities of CERT-AGID have identified a fearsome threat that is targeting Europen companies.

We are talking about ransomware Knightwhich is distributed online through an email account that, at first glance, appears to correspond to a Europen company likely. According to experts, the subject of the offending email would read a message with two potential variants “cfraudulent bank account change” o “Support Request“.

The email message in question would then provide a text in our language, as well as an attached file named invoices__attachment.html. By opening this file, the unfortunate victim is directed to an image of a Word document faded, with an invitation to download the relevant file for local reading.

As you can easily imagine, the document is actually not what it may seem at first glance.

How does Knight ransomware work?

The download, in reality, turns out to be a named archive Fatture-Urgenti-e-Richiesta-Pagamento.zipwhich includes 5 files characterized by double extension.

We talk about 2 XLL e 3 LNK which, in the eyes of a user, seem however XLSX o DOCX. To start the Knight ransomware infection at this point, just click on any of these files.

The consequences of this action, as can be easily understood, are devastating. The malicious agent, in fact, acts by encrypting the files present on the infected computer, renaming them with the extension .knight and blocking access to the victim. At the same time, a ransom note is automatically created.

This directs the user to a URL on the TOR network, where a ransom amounting to Bitcoin for a current value of approximately 18,990 dollars (approximately 18,120 euros).

Knight is a modified version of the ransomware Cyclops, already active online during the month of August. What worries CERT-AGID is the fact that, since 2017, it has been excluded Qakbot this is the only attack identified capable of acting autonomously, without constraints linked to any previous infections of the affected devices.


Please enter your comment!
Please enter your name here