The 2 malware packages are so comparable that it’s laborious to inform their code aside, the Symantec researchers mentioned, noting that the one variations are an added sleep command to RansomHub’s variant and the instructions which are out there to execute by means of the Home windows command line shell cmd.exe. Nonetheless, these instructions are configurable within the malware builder when the payload is generated, so it’s not laborious to vary them.
Even the textual content of the ransom word is copied virtually phrase for phrase from Knight’s with solely the contact hyperlinks modified and different small edits. It’s additionally potential that Knight/Cyclops itself was derived from different ransomware packages from the previous.
“A singular characteristic current in each Knight and RansomHub is the power to restart an endpoint in secure mode earlier than beginning encryption,” the Symantec researchers mentioned. “This system was beforehand employed by Snatch ransomware in 2019 and permits encryption to progress unhindered by working system or different safety processes. Snatch can also be written in Go and has many comparable options, suggesting it might be one other fork of the identical authentic supply code used to develop Knight and RansomHub.”
