The Retail Sector & United States Lead as Primary Targets of the Knight Ransomware Group

Fortinet researchers have consolidated a profile of the Knight ransomware group tracking their victimology since their emergence in August 2023. The group is a rebrand of the Cyclops ransomware gang. Notably, the retail sector stands out as the primary target of this ransomware group, with various healthcare-related sectors closely following. The group doesn't have limits or stipulations targeting the healthcare sector as their victims have included hospitals, physician offices, and dental officies.

In terms of geographical distribution, the United States accounts for a significant majority, comprising 60% of the group's victims. Following at a distance are countries such as Argentina, Canada, Thailand, and Turkey, each representing 10% of the group's victims.

While initial reports on the group's activities are somewhat limited, cybersecurity entities such as CERT Italy, SentinelOne, and Sophos have observed phishing as the primary infection vector employed by Knight. Security researcher Felix (@felixw3000) from Sophos uncovered that the ransomware gang employed deceptive emails, masquerading as complaints from TripAdvisor, in an attack on August 10th. Knight's encryptor appends the “.knight_l” file extension to encrypted files, and a ransom note is delivered to victims, directing them to a data leak site. Within the ransom note, the gang provides victims with a four-day window to initiate communication. Failure to do so triggers the extortion process, commencing with the public announcement of the organization's breach.