Mount Locker Ransomware Aggressively Changes Up Tactics
Posted April 22, 2021
- The Mount Locker ransomware has shaken things up in recent campaigns with more sophisticated scripting and anti-prevention features, according to researchers.
- Having just hit the ransomware-as-a-service scene in the second half of 2020, the group released a major update in November that broadened its targeting capabilities (including searching for file extensions utilized by TurboTax tax-return software to encrypt). It also added improved detection evasion.
- Like many ransomware gangs, the operators not only lock up files, but also steal data and threaten to leak it if the ransom isn’t paid, in a double-extortion gambit.
- Another change in tactics for the group involves using multiple CobaltStrike servers with unique domains. It’s an added step that helps with detection evasion.
- Organizations can look for signs of Mount Locker or AstroLocker within their environments, such as CobaltStrike stagers and beacons; and, they should monitor for the staging and exfiltration of files via FTP.
Tara Seals | April 22, 2021