Key findings
The latest MountLocker version first surfaced in the wild in late-November, with a compilation timestamp from early-November.
The new MountLocker ransomware variant is considerably smaller in size than the previous versions, owing to the removal of the vast list of file extensions it targets. It shares approximately 70% similarity with the initial MountLocker release, with no apparent changes.
The MountLocker operators have been relying on affiliates for an initial intrusion into corporate networks. The Ransomware-as-a-Service (RaaS) and affiliate program deploy the ransomware widespread, seeking multimillion-dollar payments for decryption services.
MountLocker affiliates were observed using public tools such as CobaltStrike Beacon and AdFind in these attacks for reconnaissance and lateral movement on the network, while FTP was used to exfiltrate sensitive client data prior to encryption.
The recent MountLocker attacks
In the second half of November, the same version had added file extensions such as .tax, .tax2009, .tax2013, .tax2014, associated with the TurboTax software for preparing tax return documents.
In the same month, the ransomware group had targeted Sonoma Valley Hospital and stole and leaked its data online.
MountLocker had targeted Sweden’s security firm Gunnebo AB in Oc ..
Support the originator by clicking the read the rest link below.
