A lightweight, newly updated version of the MountLocker ransomware is gaining popularity among hackers who are leasing the malware in greater numbers to hijack data from a wide variety of targets in diverse geographic areas, a new report said.
BlackBerry’s research and intelligence team, which has tracked the MountLocker operatives since October, said affiliate hackers are combining the ransomware with other malware, such as AdFind, to set up an attack and subsequently spread the infection with easily available tools, namely CobaltStrike Beacon, and other public software. MountLocker ransomware-as-a-service (RaaS) has been active since July, 2020 and last month was upgraded to broaden the targeting of file types and skirt security software, the researchers said.
BlackBerry’s security team has been monitoring MountLocker affiliate campaigns as part of its investigation, the company said in a blog post. “The affiliates are typically responsible for the initial compromise, distribution of MountLocker ransomware, and exfiltration of sensitive client data during a breach,” the analysts said.
Here are some BlackBerry’s findings from the investigation:
- Victims’ files are encrypted using the ChaCha20 encryption algorithm and file encryption keys are encrypted using RSA-2048.
- The ransomware appears to be somewhat secure. There are no trivial weaknesses allowing for easy key recovery and decryption of data. MountLocker uses a cryptographically insecure method for key generation that may be prone to attack.
MountLocker affiliates were observed:
- Exfiltrating sensitive client data via FTP prior to encryption.
- Engaging in blackmail and extortion tactics with the operator to coerce victims into making hefty payments to recover and prevent the public disclosure of stolen data.
- Owing to the RaaS and affiliate program, targeting is geographically diverse and becoming more prominent.
MountLocker threat actors regularly exploit Microsoft’s remote desktop protocol (RDP) with compromised credentials to gain access to a victim’s network, BlackBerry said. In one example of an affiliate suspected of interacting with MountLocker operations, BlackBerry observed the hacker hold an entry point it had dug into an organization for “several” days without initiating an attack. The vendor’s researchers surmised that the threat actors were “negotiating with the MountLocker operators to join their affiliate program and obtain the ransomware.”
BlackBerry’s researchers called MountLocker affiliate “fast operatives,” in that they are quick to exfiltrate sensitive material and encrypt it in just a few hours. “The MountLocker operators are clearly just warming up,” the intelligence team said. Given ransomware's propagation and profit potential, expect MountLocker to continue to improve their services and malware, the analysts said. “While their current capabilities are not particularly advanced, we expect this group to continue developing and growing in prominence over the short term,” BlackBerry said.