Mount Locker Ransomware Aggressively Changes Up Tactics

The ransomware is upping its danger quotient with new features while signaling a rebranding to “AstroLocker.”

The Mount Locker ransomware has shaken things up in recent campaigns with more sophisticated scripting and anti-prevention features, according to researchers. And, the change in tactics appears to coincide with a rebranding for the malware into “AstroLocker.”

According to researchers, Mount Locker has been a swiftly moving threat. Having just hit the ransomware-as-a-service scene in the second half of 2020, the group released a major update in November that broadened its targeting capabilities (including searching for file extensions utilized by TurboTax tax-return software to encrypt). It also added improved detection evasion. Attacks have continued to escalate, and now, another major update signals “an aggressive shift in Mount Locker’s tactics,” according to an analysis released Thursday by GuidePoint Security.

Mount Locker Adds Security-Evasion Features

Like many ransomware gangs, the operators not only lock up files, but also steal data and threaten to leak it if the ransom isn’t paid, in a double-extortion gambit. They’re also known for demanding multimillion-dollar ransoms and stealing especially large amounts of data (up to 400 GB).

In terms of technical approach, Mount Locker uses off-the-shelf, legitimate tools to move laterally, steal files and deploy encryption, GuidePoint noted. This includes the use of AdFind and Bloodhound for Active Directory and user reconnaissance; FTP for file exfiltration; and the pen-testing tool CobaltStrike for lateral movement and the delivery and execution of encryption, potentially through psExec.

Download “The Evolution of Ransomware” to gain valuable insights on emerging trends amidst rapidly growing attack volumes. Click above to hone your defense intelligence!

“After the environment is mapped, backup systems are identified and neutralized, and data is harvested, systems are encrypted with target-specific ransomware delivered via the established command-and-control channels (C2),” said Drew Schmitt, senior threat intelligence analyst for GuidePoint, in the analysis. “These payloads include executables, extensions and unique victim IDs for payment.”

More recent campaigns have jazzed things up with new batch scripts, researchers noted. These are designed to disable detection and prevention tools.

“[This] indicates that Mount Locker is increasing its capabilities and is becoming a more dangerous threat,” according to Schmitt. “These scripts were not just blanket steps to disable a large swath of tools, they were customized and targeted to the victim’s environment.”

Another change in tactics for the group involves using multiple CobaltStrike servers with unique domains. It’s an added step that helps with detection evasion, but Schmitt noted that it’s not often seen because it requires much more management to put into practice effectively.

Biotech Firms in Cyberattack Sights

A Mount Locker ransom note. Click to enlarge. Source: GuidePoint Security.

The changes have been accompanied by an uptick in Mount Locker attacks, especially those taking aim at companies in the biological tech industry. Schmitt said there has been a surge in incidents in this segment, indicating that  there may be a larger campaign afoot that aggressively targets healthcare-adjacent industries.

“Biotech companies, in particular, are a prime target for ransomware because of their position in an industry flush not only with cash but also with highly sensitive IP,” Schmitt explained. “Additionally, connections to other research organizations increase the potential to damage the victim’s reputation in the industry and put business dealings at risk.”

Healthcare and biotech companies are also prime targets given that they stand to lose the most if operations are halted for too long or critical IP is lost, Schmitt pointed out. So, “attackers view them as more likely to pay the requested ransom quickly,” he said.

All of this has happened as Mount Locker appears to be rebranding to AstroLocker. Schmitt pointed out that “the verbiage and victims listed on both variants’ shaming sites share significant overlap.” He added, “this could signal a shift in the group’s overall tactics and an effort to fully rebrand as a more insidious threat.”

Organizations can look for signs of Mount Locker or AstroLocker within their environments, such as CobaltStrike stagers and beacons; and, they should monitor for the staging and exfiltration of files via FTP.

“While these would always be cause for alarm…an updated, more aggressive Mount Locker and the dramatic increase in attacks attributable to the group make these indicators of compromise particularly alarming,” Schmitt concluded.

Download our exclusive FREE Threatpost Insider eBook, 2021: The Evolution of Ransomware,” to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover what’s next for ransomware and the related emerging risks. Get the whole story and DOWNLOAD the eBook now – on us!

Suggested articles