Mount Locker has been a swiftly moving threat. Having just hit the RaaS scene in the second half of 2020, the group released a major update that broadened its targeting capabilities . It also added improved detection evasion. Attacks have continued to escalate, and now, another major update signals an aggressive shift in Mount Locker’s tactics

The operators not only lock up files, but also steal data and threaten to leak it if the ransom isn’t paid, in a double-extortion gambit. They’re also known for demanding multimillion-dollar ransoms and stealing especially large amounts of data (up to 400 GB).

Mount Locker uses off-the-shelf, legitimate tools to move laterally, steal files and deploy encryption. This includes the use of AdFind and Bloodhound for Active Directory and user reconnaissance; FTP for file exfiltration; and the pen-testing tool CobaltStrike for lateral movement and the delivery and execution of encryption, potentially through psExec.

After the environment is mapped, backup systems are identified and neutralized, and data is harvested, systems are encrypted with target-specific ransomware delivered via the established command-and-control channels (C2) indicates that Mount Locker is increasing its capabilities and is becoming a more dangerous threat,”. These scripts were not just blanket steps to disable a large swath of tools, they were customized and targeted to the victim’s environment.

Another change in tactics for the group involves using multiple CobaltStrike servers with unique domains. It’s an added step that helps with detection evasion.