The BlackBerry Research and Intelligence Team has uncovered an ongoing MountLocker campaigns that's part of the initial distribution of MountLocker ransomware, and exfiltration of sensitive data from corporate networks.

While MountLocker is a relatively new ransomware strain that's resposible for past breaches on several corporate networks, which has now developed new capabilities that broaden the scope of its targeting to evade security tools.

MountLocker operates a Ransomware-as-a-Service (RaaS) model, with the updated ransomware broaden to target more file types and evade security software, as well as allowing affiliates to launch double extortion attacks.

MountLocker Ransomware exfiltration of sensitive data from corporate networks



MountLocker contains 2048-bit RSA public key embedded by the attackers, which is imported and used to encrypt random session keys generated via the cryptographically insecure GetTickCount API. It offers the possibility of knowing that the timestamp counter value during execution could lead to brute-forced session key.



On initializing the encryption keys, MountLocker creates the ransom note from template and add the ransomware file extension to the registry. And if a user double clicks on an encrypted file, the ransom note will be opened via Explorer, with the file extension as a hex encoded 4-byte (or 8 character) “Client ID”, and unique per victim organization.

MountLocker leverages on remote desktop (RDP) with compromised credentials to gain initial foothold on victim's system, and subsequently deploys malicious tools to carry out network reconnaissance (AdFind), before eventually deploying the ransomware and spreading it across the network, to exfiltrate sensitive data via FTP.

The list of encryption targets supported by MountLocker is quite expansive, with over 2600 file extensions spanning documents, archives, databases, images, accounting and security software, source code, games, and file backups. And the executable files like .dll, .exe, and .sys remains untouched.

Upon execution, MountLocker proceeds to terminate all security software, and trigger encryption using ChaCha20 cipher, creating a ransom note with a link to a Tor .onion address to contact the attackers via a "dark web" chat service portal for price negotiation.

How to Safeguard against such sophisticated threats



Since inception in July 2020, MountLocker have been seen to expand and improve on their Ransomware. While the current capabilities aren't particularly advanced, it is expected that the group will continue to grow in prominence over the next year.

As such threats continue to evolve, and attackers now attempting to sidestep security barriers by finding ways to accomplish their goals of gaining access to broader network server, there is need to introduce a comprehensive defense system. Such as Microsoft Defender for Endpoint, and Blackberry AI-based endpoint security solution, which are now generally available, and Microsoft has extended the industry-leading endpoint protection to mobile devices.

MountLocker Ransomware: Ransomware-as-a-Service (RaaS) model for Hackers

The BlackBerry Research and Intelligence Team has uncovered an ongoing MountLocker campaigns that's part of the initial distribution of MountLocker ransomware, and exfiltration of sensitive data from corporate networks.

While MountLocker is a relatively new ransomware strain that's resposible for past breaches on several corporate networks, which has now developed new capabilities that broaden the scope of its targeting to evade security tools.

MountLocker operates a Ransomware-as-a-Service (RaaS) model, with the updated ransomware broaden to target more file types and evade security software, as well as allowing affiliates to launch double extortion attacks.

MountLocker Ransomware exfiltration of sensitive data from corporate networks



MountLocker contains 2048-bit RSA public key embedded by the attackers, which is imported and used to encrypt random session keys generated via the cryptographically insecure GetTickCount API. It offers the possibility of knowing that the timestamp counter value during execution could lead to brute-forced session key.



On initializing the encryption keys, MountLocker creates the ransom note from template and add the ransomware file extension to the registry. And if a user double clicks on an encrypted file, the ransom note will be opened via Explorer, with the file extension as a hex encoded 4-byte (or 8 character) “Client ID”, and unique per victim organization.

MountLocker leverages on remote desktop (RDP) with compromised credentials to gain initial foothold on victim's system, and subsequently deploys malicious tools to carry out network reconnaissance (AdFind), before eventually deploying the ransomware and spreading it across the network, to exfiltrate sensitive data via FTP.

The list of encryption targets supported by MountLocker is quite expansive, with over 2600 file extensions spanning documents, archives, databases, images, accounting and security software, source code, games, and file backups. And the executable files like .dll, .exe, and .sys remains untouched.

Upon execution, MountLocker proceeds to terminate all security software, and trigger encryption using ChaCha20 cipher, creating a ransom note with a link to a Tor .onion address to contact the attackers via a "dark web" chat service portal for price negotiation.

How to Safeguard against such sophisticated threats



Since inception in July 2020, MountLocker have been seen to expand and improve on their Ransomware. While the current capabilities aren't particularly advanced, it is expected that the group will continue to grow in prominence over the next year.

As such threats continue to evolve, and attackers now attempting to sidestep security barriers by finding ways to accomplish their goals of gaining access to broader network server, there is need to introduce a comprehensive defense system. Such as Microsoft Defender for Endpoint, and Blackberry AI-based endpoint security solution, which are now generally available, and Microsoft has extended the industry-leading endpoint protection to mobile devices.

No comments