Mount Locker ransomware has shaken things up in recent campaigns with more sophisticated scripting and anti-prevention features, according to researchers. And the change in tactic appears to coincide with a renaming of the malware to “AstroLocker.” According to investigators, Mount Locker has been a fast-moving threat.
As we well know, ransomware not only locks files, but also steals data and threatens to leak it if the ransom is not paid and this is the same case with Mount Locker, in a double extortion tactic. They are also known for demanding multi-million dollar ransoms and stealing huge amounts of data.
In terms of technical approach, Mount Locker uses legitimate out-of-the-box tools to move sideways, steal files, and implement encryption, this includes the use of AdFind and Bloodhound for Active Directory and user awareness; FTP for file exfiltration; and the CobaltStrike pen test tool for lateral movement and cipher delivery and execution, potentially via psExec.
The Mount Locker group may want to rebrand to create a new, more professional image, or it could be an attempt to launch a true ransomware-as-a-service (RaaS) program. Regardless, if any organization becomes a victim of Astro Locker in the future, they should investigate both Mount Locker and Astro Locker TTPs.
Experts agree that Mount Locker is increasing its capabilities and becoming a more dangerous threat. These scripts were not just general steps to disable a wide variety of tools, but were customized and targeted at the victim’s environment.
Check also:
PureLocker Ransomware that encrypts servers
Cyborg Ransomware distributed through Email
