Introduction
Knight is a Ransomware-as-a-Service (RaaS) operation first observed in August 2023, believed to be a rebrand or evolution of the Cyclops ransomware family. The ransomware targets both Windows and Linux/ESXi systems, encrypting files with strong symmetric and asymmetric cryptography and appending the .knight extension. Knight affiliates employ a double-extortion model, stealing sensitive data before encryption and threatening to leak it via a Tor-based site. Distribution methods include phishing campaigns delivering malicious attachments, exploitation of vulnerabilities in public-facing services, and use of previously compromised credentials. The ransomware is modular, allowing affiliates to deploy only the components needed for a given environment, and has been used in attacks on healthcare, manufacturing, finance, and technology sectors across North America, Europe, and Asia. Knight’s leak site lists victims with partial data dumps to pressure payment, escalating to full leaks if negotiations fail.
Activities and Tactics
Information pending cataloguing.
Notable Campaigns
Information pending cataloguing.
Tactics, Techniques, and Procedures (TTPs)
Information pending cataloguing.
Notable Indicators of Compromise (IOCs)
No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.
Malware and Tools
Information pending cataloguing.
Attribution and Evidence
Information pending cataloguing.
References
References pending cataloguing.