The two malware programs are so similar that it’s hard to tell their code apart, the Symantec researchers said, noting that the only differences are an added sleep command to RansomHub’s variant and the commands that are available to execute through the Windows command line shell cmd.exe. However, these commands are configurable in the malware builder when the payload is generated, so it’s not hard to change them.

Even the text of the ransom note is copied almost word for word from Knight’s with only the contact links changed and other small edits. It’s also possible that Knight/Cyclops itself was derived from other ransomware programs from the past.

“A unique feature present in both Knight and RansomHub is the ability to restart an endpoint in safe mode before starting encryption,” the Symantec researchers said. “This technique was previously employed by Snatch ransomware in 2019 and allows encryption to progress unhindered by operating system or other security processes. Snatch is also written in Go and has many similar features, suggesting it could be another fork of the same original source code used to develop Knight and RansomHub.”