Chris Swagler | September 4th, 2023

Knight ransomware

In the ever-evolving landscape of cyber threats, a new menace has emerged, cunningly disguised as a TripAdvisor complaint. Meet the Knight ransomware, the infamous offspring of the rebranded Cyclops Ransomware-as-a-Service (RaaS). The saga of Knight ransomware begins with its foray into the digital underworld. This venture commenced with the birth of Cyclops in May 2023, when the RaaS ecosystem was actively recruiting affiliates on the notorious RAMP hacking forum.

Cyclops was no ordinary ransomware operation; it arrived with a diverse toolkit boasting encryptors tailored for Windows, macOS, and Linux/ESXi. An unexpected twist in the tale was the inclusion of information-stealing malware for Windows and Linux, a deviation from the norm in the realm of RaaS endeavors. A ‘lite’ variant of the encryptors was also unveiled, a tool intended for mass distribution campaigns, eliminating the need for ransom negotiations by imposing a predetermined ransom amount.

As the RaaS empire grew, a significant transformation took place. Cyclops donned a new identity, the Knight ransomware, signaling a desire to recalibrate its malevolent activities. The ‘lite’ encryptor was bolstered with support for ‘batch distribution,’ demonstrating the ransomware’s agility in adapting to the changing battlefield. A fresh data leak site emerged, inviting partners of all kinds to partake in their dubious enterprise.

The Knight ransomware’s modus operandi has recently taken a devious turn, leveraging a spam campaign that masquerades as TripAdvisor complaints. The fraudulent emails come adorned with attachments, a ZIP file named ‘,’ harboring an executable named ‘TripAdvisor Complaint – Possible Suspension.exe.’ An evolved version of this campaign introduces an HTML attachment, ‘TripAdvisor-Complaint-[random].PDF.htm,’ luring victims with a deceptive façade.

The HTML attachment employs Mr.D0x’s Browser-in-the-Browser phishing technique, presenting an illusion of a TripAdvisor complaint submission page. Tempted by the ruse, victims might click the ‘Read Complaint’ button, unwittingly initiating the download of an Excel XLL file named ‘TripAdvisor_Complaint-Possible-Suspension.xll.’ This file, hailing from the depths of Excel-DNA, acts as a vessel to inject the Knight Lite ransomware encryptor into a new explorer[.]exe process, thus setting the stage for file encryption.

As the ransomware encroaches on victim files, it appends the ‘.knight_l’ extension to emphasize its ‘lite’ nature. A ransom note, ‘How To Restore Your Files.txt,’ is planted in each folder, demanding a hefty sum of $5,000 in Bitcoin. Curiously, every ransom note thus far carries the same Bitcoin address, ’14JJfrWQbud8c8KECHyc9jM6dammyjUb3Z,’ posing a problem for the threat actor’s ability to distinguish individual victims.

The story takes an unexpected twist when victims reach the Knight Tor site, only to be met with a message asserting that they should have already paid the ransom demand. Contact information, [email protected], is provided, but it’s crucial to exercise caution. The prospect of receiving a decryptor after payment remains uncertain, and the consistent Bitcoin address raises concerns about fund diversion. Considering these developments, a stern warning resonates refraining from paying the ransom is the wisest course of action in this Knight Lite campaign. The uniformity of the Bitcoin address suggests a high likelihood of payment misattribution, making the pursuit of a decryptor a difficult endeavor.

Cybersecurity vigilance becomes paramount in a digital realm where malicious actors continually adapt their tactics. The Knight ransomware exploits unsuspecting victims through seemingly innocuous TripAdvisor complaint emails, underscoring the necessity for robust cybersecurity measures and ongoing education to thwart the rising tide of threats. In this battle against ever-evolving digital malevolence, adaptability and awareness are the strongest shields for cybersecurity professionals.

SpearTip offers cybersecurity awareness training designed to educate individuals and organizations about best cybersecurity practices and provide the knowledge and skills necessary to protect their systems and data from cyber threats. Our training covers password security, phishing scams, social engineering, malware, data protection, and network security. By providing cybersecurity awareness training, organizations and their employees can better understand the risks of the cyber landscape and develop impactful cybersecurity practices that reduce the likelihood of cyberattacks. Cybersecurity awareness training is essential to any comprehensive strategy to protect sensitive information, such as personal data, financial information, or intellectual property, and prevent data breaches, system downtime, and other negative consequences from cyberattacks.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.

Stay Connected With SpearTip

Inside the SOC Newsletter

View our articles that cover trending topics in cybersecurity with insights from our 24/7/365 Security Operations Center.

ShadowSpear Platform

Cybersecurity actors are working around the clock, shouldn’t your security team be too? Technology solutions and security controls fail for a number of reasons, poor deployment, improper implementation, or just no one monitoring the alerts.

ShadowSpear Demo

Experience ShadowSpear for yourself. Our lightweight, integrated solution will help you sleep easier at night and provide immediate confidence in your security posture.