A reasonably new ransomware pressure guiding a sequence of breaches on corporate networks has developed new capabilities that enable it to broaden the scope of its focusing on and evade protection software—as very well as with capacity for its affiliate marketers to start double extortion assaults.
The MountLocker ransomware, which only began generating the rounds in July 2020, has currently gained notoriety for stealing documents right before encryption and demanding ransom quantities in the tens of millions to reduce community disclosure of stolen information, a tactic known as double extortion.
“The MountLocker Operators are clearly just warming up. Soon after a slow start off in July they are speedily attaining ground, as the significant-profile mother nature of extortion and information leaks drive ransom needs at any time bigger,” scientists from BlackBerry Analysis and Intelligence Staff stated.
“MountLocker affiliate marketers are usually rapidly operators, speedily exfiltrating sensitive documents and encrypting them throughout crucial targets in a matter of hrs.”
MountLocker also joins the likes of other ransomware people like Maze (which shut down its operations previous thirty day period) that work a internet site on the darkish net to title and disgrace victims and supply hyperlinks to leaked facts.
To date, the ransomware has claimed 5 victims, despite the fact that the researchers suspect the quantity could be “considerably bigger.”
Presented as Ransomware-as-a-Provider (RaaS), MountLocker was notably deployed earlier this August against Swedish security organization Gunnebo.
Even though the corporation said it had effectively thwarted the ransomware assault, the criminals who orchestrated the intrusion finished up thieving and publishing on the web 18 gigabytes of delicate paperwork, including schematics of client lender vaults and surveillance devices, in October.
Now according to BlackBerry’s examination, menace actors guiding MountLocker-related affiliate strategies leveraged remote desktop (RDP) with compromised qualifications to attain an first foothold on a victim’s setting — something that was noticed in Gunnebo’s hack as very well — and subsequently deploy applications to have out network reconnaissance (AdFind), deploy the ransomware and laterally distribute across the community, and exfiltrate important facts by way of FTP.
The ransomware in itself is lightweight and successful. Upon execution, it proceeds to terminate safety computer software, trigger encryption employing ChaCha20 cipher, and generate a ransom observe, which consists of a hyperlink to a Tor .onion URL to speak to the criminals via a “darkish world wide web” chat service to negotiate a rate for decrypting software program.
It also uses an embedded RSA-2048 community vital to encrypt the encryption vital, deletes volume shadow copies to thwart restoration of the encrypted information, and inevitably eliminates alone from the disk to cover its tracks.
The researchers, nevertheless, issue out that the ransomware employs a cryptographically insecure method known as GetTickCount API for a vital era that could be vulnerable to a brute-force attack.
MountLocker’s listing of encryption targets is substantial, with guidance for about 2600 file extensions spanning databases, files, archives, photos, accounting software package, protection application, resource code, games, and backups. Executable information these types of as .exe, .dll, and .sys are still left untouched.
Which is not all. A new variant of MountLocker noticed in late November (dubbed “version 2”) goes a move additional by dropping the checklist of extensions to be included for encryption in favor of a lean exclusion list: .exe, .dll, .sys, .msi, .mui, .inf, .cat, .bat, .cmd, .ps1, .vbs, .ttf, .fon, and .lnk.
“Due to the fact its inception, the MountLocker group has been observed to both equally develop and make improvements to their services and malware,” the scientists concluded. “While their latest capabilities are not specially innovative, we hope this group to proceed establishing and increasing in prominence above the shorter term.”