Knight Ransomware Used in a Spam Campaign Impersonating TripAdvisor

How the campaign works?

• The campaign uses an HTML attachment named ‘TripAdvisor-Complaint-[random].PDF.htm that redirects users to a fake browser window for TripAdvisor. 
• This browser window pretends to be a complaint submitted to a restaurant while asking the users to review it.
• Once the user clicks on the ‘Read Complaint’ button, an Excel file named ‘TripAdvisor_Complaint-Possible-Suspension.xll’ is downloaded onto the system, which further causes the execution of the ransomware.

More about Knight's operations

• As part of the program, it continues to recruit affiliates on the RAMP hacking forum to enhance its data-stealing ability from Windows and Linux systems.
• In addition to the normal encryptors, the Knight ransomware operation offers a ‘lite’ version to be used in spam, pray-and-spray, and batch distribution campaigns.

Encryption and ransom demand

• The Knight Lite ransomware encryptor, injected into a new explorer.exe process, is used to encrypt the files on targeted computers. 
• Upon encryption, the .knight_1 extension is appended to the encrypted files’ names, where ‘1’ stands for lite. 
• Then, the ransomware creates a note in each folder on the computer, demanding a ransom of $5,000 to be sent to a the provided Bitcoin address. 

Conclusion