MountLocker Ransomware Expands Its Reach and Tactics
A newly evolved ransomware strain, known as MountLocker, has emerged as a potent threat to corporate networks, demonstrating an alarming ability to evade security software while enabling its affiliates to execute double extortion schemes. First identified in July 2020, MountLocker has rapidly gained notoriety for exfiltrating data before encryption and demanding significant ransoms to prevent the public release of stolen information.
The research team at BlackBerry notes that the MountLocker operators are rapidly gaining traction in the cybercriminal landscape. The confluence of high-profile extortion and data leaks continues to raise ransom demands significantly. The researchers indicated that MountLocker affiliates are adept at quickly compromising key targets, exfiltrating sensitive documents and encrypting them within hours of gaining access.
This ransomware family mirrors other notorious strains, such as Maze, which recently ceased operations. MountLocker is distinguished by its operation of a dark web site where it publicly names its victims and provides links to leaked data. Though five victims have been confirmed to date, researchers suspect the actual number is substantial.
MountLocker operates on a Ransomware-as-a-Service (RaaS) model and notably targeted Swedish security firm Gunnebo in August. Although the firm successfully defended against the majority of the attack, the criminals managed to steal and later release online 18 gigabytes of sensitive data, including schematics for client bank vaults.
An analysis of MountLocker’s tactics reveals that the attackers primarily employ Remote Desktop Protocol (RDP) with compromised credentials for initial access, a technique that aligns with MITRE ATT&CK’s tactics for gaining foothold in victims’ networks. Once inside, the attackers utilize reconnaissance tools and lateral movement strategies to deploy ransomware and exfiltrate critical data.
Upon execution, the ransomware efficiently disables security software and utilizes the ChaCha20 cipher for encryption. A ransom note is then generated, directing victims to a Tor-based chat interface for negotiation. The ransomware also incorporates an embedded RSA-2048 public key to secure its encryption keys, deletes volume shadow copies to obstruct recovery efforts, and self-erases from the compromised system to cover its tracks.
Despite its effectiveness, researchers highlight vulnerabilities in the ransomware, including its reliance on an insecure method for key generation that could expose it to brute-force attacks. The ransomware targets over 2,600 file types ranging from databases to software source code while deliberately leaving executable files untouched.
A new variant, identified in late November, has refined its encryption criteria to an exclusion list, including the file types .exe, .dll, and .sys, indicating a strategic shift in targeting that allows for greater efficiency. Analysts conclude that the MountLocker group is poised to enhance its capabilities further, noting that while current functionalities may not be exceptionally advanced, continuous improvements and expansions in operations are likely.
As organizations remain vigilant, they must implement robust security measures to mitigate the risks posed by threats such as MountLocker. Monitoring for initial access tactics, maintaining security awareness, and incorporating advanced threat detection can help businesses defend against this evolving landscape of ransomware.
