The Mount Locker ransomware,has already gained notoriety for stealing files before encryption and demanding ransom amounts in the millions to prevent public disclosure of stolen data, a tactic known as Double extortion.
Mount Locker affiliates are typically fast operators, rapidly exfiltrating sensitive documents and encrypting them across key targets in a matter of hours.
Mount Locker also joins the likes of other ransomware families like Maze that operate a website on the dark web to name and shame victims and supply links to leaked data.
Offered as Ransomware-as-a-Service (RaaS),the criminals who orchestrated the intrusion ended up stealing and publishing online 18 gigabytes of sensitive documents, including schematics of client bank vaults and surveillance systems.
MountLocker-related affiliate campaigns leveraged remote desktop (RDP) with compromised credentials to gain an initial foothold on a victim’s environment and subsequently deploy tools to carry out network reconnaissance,deploy the ransomware and laterally spread across the network, and exfiltrate critical data via FTP.
The ransomware in itself is lightweight and efficient. Upon execution, it proceeds to terminate security software, trigger encryption using ChaCha20 cipher, and create a ransom note, which contains a link to a Tor .onion URL to contact the criminals via a “dark web” chat service to negotiate a price for decrypting software.
It also uses an embedded RSA-2048 public key to encrypt the encryption key, deletes volume shadow copies to thwart restoration of the encrypted files, and eventually removes itself from the disk to hide its tracks.
The ransomware uses a cryptographically insecure method called GetTickCount API for a key generation that may be susceptible to a brute-force attack.
MountLocker’s list of encryption targets is extensive, with support for over 2600 file extensions spanning databases, documents, archives, images, accounting software, security software, source code, games, and backups. Executable files such as .exe, .dll, and .sys are left untouched.
A new variant of MountLocker spotted goes a step further by dropping the list of extensions to be included for encryption in favor of a lean exclusion list: .exe, .dll, .sys, .msi, .mui, .inf, .cat, .bat, .cmd, .ps1, .vbs, .ttf, .fon, and .lnk.