A relatively new ransomware strain behind a series of breaches on corporate networks has developed new capabilities that allow it to broaden the scope of its targeting and evade security software—as well as with ability for its affiliates to launch double extortion attacks.
The MountLocker ransomware, which only began making the rounds in July 2020, has already gained notoriety for stealing files before encryption and demanding ransom amounts in the millions to prevent public disclosure of stolen data, a tactic known as double extortion.
"The MountLocker Operators are clearly just warming up. After a slow start in July they are rapidly gaining ground, as the high-profile nature of extortion and data leaks drive ransom demands ever higher," researchers from BlackBerry Research and Intelligence Team said.
"MountLocker affiliates are typically fast operators, rapidly exfiltrating sensitive documents and encrypting them across key targets in a matter of hours."
MountLocker also joins the likes of other ransomware families like Maze (which shut down its operations last month) that operate a website on the dark web to name and shame victims and supply links to leaked data.
To date, the ransomware has claimed five victims, although the researchers suspect the number could be "far greater."
Offered as Ransomware-as-a-Service (RaaS), MountLocker was notably deployed earlier this August against Swedish security firm Gunnebo.
Although the company said it had successfully thwarted the ransomware attack, the criminals who orchestrated the intrusion ended up stealing and publishing online 18 gigabytes of sensitive documents, including schematics of client bank vaults and surveillance systems, in October.
Now according to BlackBerry's analysis, threat actors behind MountLocker-related affiliate campaigns leveraged remote desktop (RDP) with compromised credentials to gain an initial foothold on a victim's environment — something that was observed in Gunnebo's hack as well — and subsequently install tools to carry out network reconnaissance (AdFind), deploy the ransomware and laterally spread across the network, and exfiltrate critical data via FTP.
The ransomware in itself is lightweight and efficient. Upon execution, it proceeds to terminate security software, trigger encryption using ChaCha20 cipher, and create a ransom note, which contains a link to a Tor .onion URL to contact the criminals via a "dark web" chat service to negotiate a price for decrypting software.
It also uses an embedded RSA-2048 public key to encrypt the encryption key, deletes volume shadow copies to thwart restoration of the encrypted files, and eventually removes itself from the disk to hide its tracks.
The researchers, however, point out that the ransomware uses a cryptographically insecure method called GetTickCount API for key generation that may be susceptible to a brute-force attack.
MountLocker's list of encryption targets is extensive, with support for over 2600 file extensions spanning databases, documents, archives, images, accounting software, security software, source code, games, and backups. Executable files such as .exe, .dll, and .sys are left untouched.
That's not all. A new variant of MountLocker spotted in late November (dubbed "version 2") goes a step further by dropping the list of extensions to be included for encryption in favor of a lean exclusion list: .exe, .dll, .sys, .msi, .mui, .inf, .cat, .bat, .cmd, .ps1, .vbs, .ttf, .fon, and .lnk.
"Since its inception, the MountLocker group has been seen to both expand and improve their services and malware," the researchers concluded. "While their current capabilities are not particularly advanced, we expect this group to continue developing and growing in prominence over the short term."