MountLocker ransomware has been growing steadily since its discovery at the end of July 2020, and it has now become trendy and globally diverse. A theoretical review of a new MountLocker variant was released recently by BlackBerry researchers.
Key Discovery
The new edition of MountLocker first appeared in the wild in late-November, with an early-November compilation timestamp.
- Thanks to excluding the extensive list of file extensions, the latest MountLocker ransomware variant is significantly smaller in scale than the previous models. It shares a resemblance of around 70 percent to the original release of MountLocker, with no noticeable modifications.
- For an initial intrusion into corporate networks, the MountLocker operators depend upon affiliates. The Ransomware-as-a-Service and partner scheme broadly deploy the ransomware, targeting multimillion-dollar decryption services fees.
- In these attacks for surveillance and lateral movement on the network, MountLocker affiliates were detected using public instruments such as CobaltStrike Beacon and AdFind. In contrast, FTP was used before encryption to exfiltrate sensitive client data.
Recent Attacks
- The same version introduced file extensions in the second half of November, such as .tax, .tax2009, .tax2013, .tax2014, affiliated with the TurboTax program for processing tax return records.
- The ransomware group had attacked Sonoma Valley Hospital in the same month and stole and leaked its details online.
- In October, MountLocker attacked Sweden’s security company, Gunnebo AB.
Conclusion
In a brief period, the MountLocker community has been seen expanding its reach and enhancing its capability. The ransomware has threatened victims worldwide, and it is now expected to become a significant challenge for multinational organizations with increased capabilities and association.
