To transit networks, the MountLocker ransomware now exploits Windows Active Directory enterprise APIs. Read on to know more…
A modified MountLocker ransomware executable is being used by a new ransomware group known as XingLocker. This new MountLocker operation spreads as a worm via networks using Windows Active Directory APIs.
About MountLocker Ransomware
MountLocker was launched as a Ransomware-as-a-Service (RaaS) in July 2020, with developers in charge of designing the ransomware software and payment site, and affiliates hired to hack organisations and encrypt their devices. The MountLocker core team earns a tiny amount of a ransom payment (20-30%), while the affiliate receives the rest.
In March 2021, a new ransomware group known as ‘Astro Locker’ surfaced, which began deploying a customised version of MountLocker ransomware with ransom notes directing users to its own data breach and payment sites.
Finally, in May 2021, a new organisation known as ‘XingLocker’ appeared, which also employed the custom MountLocker ransomware executable.
Working Mechanism
A sample of a new MountLocker executable was just published by the MalwareHunterTeam. This new sample has a worm feature that allows it to spread around a network and encrypt data sent to other devices.
By executing the malware sample with the /NETWORK command-line parameter, an attacker can enable the worm feature. To propagate, this functionality necessitates the use of a Windows domain.
MountLocker is now exploiting the Windows Active Directory Service Interfaces API to work as a worm, according to Advanced Intel’s CEO.
The ransomware can use this API to quickly locate any devices that are part of the compromised Windows domain and encrypt them using stolen domain credentials.
Despite the fact that this API has been observed in previous malware such as TrickBot, researchers believe MountLocker is the first “professional ransomware” to use APIs to perform intelligence and propagation to other devices.
Security experts believe the attacker who injected the code had some experience administering Windows domains because this API is commonly used by Windows network administrators.
Past MountLocker Attacks
The malware has been active since early this year, and it has infected a number of corporate networks. The Astro Locker ransomware group began utilising a modified version of MountLocker last month. A link between MountLocker and the Astro Locker group has been discovered.
The MountLocker gang threatened to reveal stolen data from ECU Worldwide, a shipping company, in March. The gang had stolen 2TB of data from the shipping company.
Concluding Words
MountLocker could be the first corporate ransomware to conduct reconnaissance and spread to other devices utilising Active Directory-related APIs. As a result, organizations should be cautious and implement fundamental security measures such as taking backups, updating systems on a regular basis, and enabling two-factor authentication (2FA).