The Knight ransomware is being distributed in an ongoing spam campaign that pretends to be TripAdvisor complaints.

Knight ransomware is a recent rebrand of the Cyclop Ransomware-as-a-Service, which switched its name at the end of July 2023.

Who is Cyclops and Knight ransomware? The Cyclops ransomware operation launched in May 2023 when the operators began recruiting affiliates for the new ransomware-as-a-service (RaaS) on the RAMP hacking forum.

A report by Uptycs explains that the operation launched with encryptors for Windows, macOS, and Linux/ESXi. The operation also offers affiliates information-stealing malware for Windows and Linux, which is not normally seen in RaaS operations.

In addition to their normal encryptors, the operation offers a ‘lite’ version for use in spam and pray-and-spray mass distribution campaigns targeting large numbers of targeted users. This version appears to utilize a fixed ransom amount rather than negotiating with victims.

At the end of July, Cyclops rebranded as Knight, also stating they updated the lite encryptor to support ‘batch distribution’ and launched a new data leak site.

“We’ve updated our new panel and officially changed our name to Knight.We are looking for partners (of any kind) that!!!,” reads an announcement on the old Cyclops and new Knight data leak sites.

“We have also updated the lite version to support batch distribution.”

There are currently no victims or stolen files leaked on the Knight data leak site.