Cyclops Ransomware Gang Unveils Knight 2.0 RaaS Operation: Partner-Friendly and Expanding Targets
KELA Cyber Intelligence Center
The Cyclops ransomware gang has launched a 2.0 version of its RaaS operation named Knight. On July 26, the gang announced on their blog they were “releasing the new panel and program this week”, likely referring to updates to both their ransomware strain and their affiliates’ panel. Recently, Cyclops announced they “upgraded” the operation and called for new affiliates to join the group. A thread advertising Cyclops’ RaaS has been renamed to “[RaaS]Knight”.
Cyclops launched its blog in late June. Currently it has 6 victims published. Its representatives have been active on cybercrime forums since May 2023, advertising a new RaaS program under the same name. The actor behind the operation claimed it to be “partner-friendly”, offering two ways of cooperation: “no-deposit”, where the Cyclops team is negotiating with victims; and with deposit, where affiliates can conduct negotiations on their own.
The actor also stated they take “the lowest commission share in the market”, although he didn’t specify the exact share they would take from successfully paid ransoms.
The ads revealed that on May 16-17, 2023 the malware was updated to target EXSi, Linux, and MacOS, in addition to its Windows targeting capabilities.
The gang may use spear-phishing as an initial access vector, as in May, when Cyclops claimed they were looking to distribute their malware through spear-phishing and offered to provide a customized version for collaborators. It is also possible that the gang purchases initial access on cybercrime forums and markets.
At least once, KELA has seen that a Cyclops ransomware attack has followed a sale of access to the victim. On June 21, an access to an Australia-based internet service provider was offered for sale for USD 15,000 and was sold soon afterwards. About a month later, Cyclops published the same victim on their blog. The timeline and the activity of the possible buyer suggest the incidents could be related.
Get notified about threats targeting your organization in real-time. Try KELA’s Cyber Threat Intelligence Platform for Free