Mount Locker Ransomware is Getting More Dangerous

Security researchers are reporting that the Mount Locker ransomware is expanding its arsenal with new and dangerous tools. The ransomware going by the name Mount Locker has been around and in the wild for a while now, first making headlines back in September 2020. The old dog is learning new tricks, it seems, and is getting a bit of a facelift, now trying to rebrand itself as AstroLocker.

New campaigns utilizing Mount Locker have displayed the ransomware's updated and more advanced features, including enhanced scripting and superior anti-prevention capabilities. Simultaneously with expanding its features, Mount Locker is now also showing up under the new name of AstroLocker.

After its initial spotting in the wild back in September, the ransomware got one significant update a couple of months later, mainly directed at the ransomware's targeting abilities.

Researchers with GuidePoint Security are calling this latest April update an "aggressive shift" in the way Mount Locker works.

Mount Locker abuses legitimate software and applications to achieve its goals. Those include a directory visualization tool and a substitute client for Telnet.

Once Mount Locker has made its way on the victim's system, it deals with any backups first, to prevent data recovery, then contacts its C2 server to deliver the encryption payload, customized for each victim.

The way Mount Locker is trying to avoid certain layers of detection in its new campaign is by using batch scripts. Those scripts are designed in a way that aims to shut down any tools and environments that might detect the ransomware or prevent its execution.

The most worrying part of this is that the new batch scripts are not one-size-fits-all tools. They are always custom-built to target the specific network environment of the victim.

Threat actors behind recent Mount Locker attacks have also been using several CobaltStrike servers, each with its own unique domain, which further hinders detection. According to GuidePoint, this approach is not particularly common because the amount of work involved to make it all click is significant.

A lot of the recent attacks using Mount Locker have been aimed at biotech. This sector is particularly lucrative for hackers both because of the highly sensitive information they might be able to steal.

GuidePoint also believes there is an orchestrated push to rebrand the new, more advanced version of Mount Locker under the name of AstroLocker. In the case of Mount Locker, which is run as ransomware-as-a-service operation, this would make a lot of sense.