The 2 malware packages are so related that it’s onerous to inform their code aside, the Symantec researchers mentioned, noting that the one variations are an added sleep command to RansomHub’s variant and the instructions which are out there to execute by way of the Home windows command line shell cmd.exe. Nevertheless, these instructions are configurable within the malware builder when the payload is generated, so it’s not onerous to alter them.
Even the textual content of the ransom be aware is copied virtually phrase for phrase from Knight’s with solely the contact hyperlinks modified and different small edits. It’s additionally potential that Knight/Cyclops itself was derived from different ransomware packages from the previous.
“A novel function current in each Knight and RansomHub is the power to restart an endpoint in secure mode earlier than beginning encryption,” the Symantec researchers mentioned. “This method was beforehand employed by Snatch ransomware in 2019 and permits encryption to progress unhindered by working system or different security processes. Snatch can be written in Go and has many related options, suggesting it could possibly be one other fork of the identical unique supply code used to develop Knight and RansomHub.”
