XingLocker a Ransomware group, is actively using a customized MountLocker ransomware executable. This latest MountLocker operation uses Windows Active Directory APIs to propagate as a worm through networks.
A sample of a new MountLocker executable identified. This new sample includes a worm feature that allows it to spread inside the network and encrypt to other devices.
- An attacker can enable the worm feature by executing the malware sample with the /NETWORK command-line argument. This feature requires a Windows domain to spread.
- MountLocker is now using the Windows Active Directory Service Interfaces API to work as a worm.
- Using this API, ransomware can easily find all devices that are part of the infected Windows domain and then encrypt them with stolen domain credentials.
Recent MountLocker attacks
The ransomware has been active since earlier this year and has targeted several enterprise networks.
- Astrolocker started using a customized version of MountLocker. A connection was spotted between MountLocker and the Astro Locker team.
- MountLocker gang threatened to release stolen data from shipping firm ECU. The gang had stolen 2TB of data belonging to the shipping firm last month
MountLocker may be the first corporate ransomware using Active Directory-related APIs to perform reconnaissance and spread to other devices. Thus, Organizations are recommended to stay vigilant and employ basic security measures, such as taking backup, regularly updating systems, and enabling 2FA.