24 April 21, 07:42
Quote:The Mount Locker ransomware has shaken things up in recent campaigns with more sophisticated scripting and anti-prevention features, according to researchers. And, the change in tactics appears to coincide with a rebranding for the malware into “AstroLocker.”
According to researchers, Mount Locker has been a swiftly moving threat. Having just hit the ransomware-as-a-service scene in the second half of 2020, the group released a major update in November that broadened its targeting capabilities (including searching for file extensions utilized by TurboTax tax-return software to encrypt). It also added improved detection evasion. Attacks have continued to escalate, and now, another major update signals “an aggressive shift in Mount Locker’s tactics,” according to an analysis released Thursday by GuidePoint Security.
Like many ransomware gangs, the operators not only lock up files, but also steal data and threaten to leak it if the ransom isn’t paid, in a double-extortion gambit. They’re also known for demanding multimillion-dollar ransoms and stealing especially large amounts of data (up to 400 GB).
In terms of technical approach, Mount Locker uses off-the-shelf, legitimate tools to move laterally, steal files and deploy encryption, GuidePoint noted. This includes the use of AdFind and Bloodhound for Active Directory and user reconnaissance; FTP for file exfiltration; and the pen-testing tool CobaltStrike for lateral movement and the delivery and execution of encryption, potentially through psExec.
“After the environment is mapped, backup systems are identified and neutralized, and data is harvested, systems are encrypted with target-specific ransomware delivered via the established command-and-control channels (C2),” said Drew Schmitt, senior threat intelligence analyst for GuidePoint, in the analysis. “These payloads include executables, extensions and unique victim IDs for payment.”
Read more: Mount Locker Ransomware Aggressively Changes Up Tactics | Threatpost