Mount Locker Ransomware Aggressively Changes Up Tactics

Mount Locker Ransomware Aggressively Changes Up Tactics

Posted April 22, 2021

Mount Locker Ransomware Aggressively Changes Up Tactics

  • The Mount Locker ransomware has shaken things up in recent campaigns with more sophisticated scripting and anti-prevention features, according to researchers.
  • Having just hit the ransomware-as-a-service scene in the second half of 2020, the group released a major update in November that broadened its targeting capabilities (including searching for file extensions utilized by TurboTax tax-return software to encrypt). It also added improved detection evasion.
  • Like many ransomware gangs, the operators not only lock up files, but also steal data and threaten to leak it if the ransom isn’t paid, in a double-extortion gambit.
  • Another change in tactics for the group involves using multiple CobaltStrike servers with unique domains. It’s an added step that helps with detection evasion.
  • Organizations can look for signs of Mount Locker or AstroLocker within their environments, such as CobaltStrike stagers and beacons; and, they should monitor for the staging and exfiltration of files via FTP.

Tara Seals | April 22, 2021