A somewhat new ransomware pressure powering a collection of breaches on company networks has produced new capabilities that allow for it to broaden the scope of its targeting and evade security software—as nicely as with means for its affiliates to launch double extortion attacks.
The MountLocker ransomware, which only started producing the rounds in July 2020, has previously attained notoriety for stealing data files prior to encryption and demanding ransom amounts in the tens of millions to reduce general public disclosure of stolen knowledge, a tactic recognized as double extortion.
“The MountLocker Operators are obviously just warming up. Just after a gradual start out in July they are quickly attaining ground, as the superior-profile nature of extortion and information leaks generate ransom requires at any time higher,” researchers from BlackBerry Exploration and Intelligence Group said.
“MountLocker affiliate marketers are usually rapidly operators, promptly exfiltrating sensitive files and encrypting them throughout vital targets in a matter of hrs.”
MountLocker also joins the likes of other ransomware family members like Maze (which shut down its operations past thirty day period) that run a site on the dark web to name and disgrace victims and supply links to leaked data.
To day, the ransomware has claimed five victims, although the scientists suspect the quantity could be “significantly bigger.”
Offered as Ransomware-as-a-Company (RaaS), MountLocker was notably deployed previously this August towards Swedish security company Gunnebo.
Though the organization claimed it experienced correctly thwarted the ransomware attack, the criminals who orchestrated the intrusion finished up thieving and publishing on the net 18 gigabytes of delicate paperwork, including schematics of shopper lender vaults and surveillance techniques, in October.
Now in accordance to BlackBerry’s assessment, menace actors driving MountLocker-similar affiliate strategies leveraged distant desktop (RDP) with compromised qualifications to acquire an first foothold on a victim’s ecosystem — anything that was observed in Gunnebo’s hack as nicely — and subsequently deploy tools to carry out network reconnaissance (AdFind), deploy the ransomware and laterally unfold throughout the network, and exfiltrate critical facts by way of FTP.
The ransomware in itself is lightweight and effective. On execution, it proceeds to terminate security software package, bring about encryption employing ChaCha20 cipher, and produce a ransom notice, which consists of a hyperlink to a Tor .onion URL to call the criminals by using a “dark web” chat assistance to negotiate a cost for decrypting program.
It also works by using an embedded RSA-2048 public critical to encrypt the encryption crucial, deletes quantity shadow copies to thwart restoration of the encrypted data files, and at some point removes alone from the disk to cover its tracks.
The scientists, on the other hand, position out that the ransomware employs a cryptographically insecure system referred to as GetTickCount API for a important technology that could be prone to a brute-pressure attack.
MountLocker’s list of encryption targets is substantial, with guidance for around 2600 file extensions spanning databases, documents, archives, illustrations or photos, accounting program, security program, source code, online games, and backups. Executable documents these kinds of as .exe, .dll, and .sys are still left untouched.
That is not all. A new variant of MountLocker spotted in late November (dubbed “edition 2”) goes a phase further by dropping the record of extensions to be involved for encryption in favor of a lean exclusion listing: .exe, .dll, .sys, .msi, .mui, .inf, .cat, .bat, .cmd, .ps1, .vbs, .ttf, .fon, and .lnk.
“Because its inception, the MountLocker team has been seen to each grow and improve their products and services and malware,” the researchers concluded. “When their present abilities are not significantly superior, we count on this group to continue creating and growing in prominence over the quick expression.”
Uncovered this posting appealing? Observe THN on Facebook, Twitter and LinkedIn to examine more exclusive written content we write-up.