Threat actors are now using MountLocker ransomware via ‘Windows Active Directory enterprise APIs’ to target website developers and organizations. MountLocker started operating in July 2020 as a Ransomware-as-a-Service (RaaS).
MountLocker core team receives a small portion of 20-30% of a ransom payment and the affiliate receives the remainder, as part of this tie-up. In March 2021, ‘Astro Locker’ ransomware group emerged and started using a customized version of the MountLocker ransomware with ransom notes pointing to their own payment and data leak sites.
"It's not a rebranding, probably we can define it as an alliance," Astro Locker told BleepingComputer when asked about its association to MountLocker. Eventually, in May 2021, a third group emerged called 'XingLocker' who additionally makes use of a personalized MountLocker ransomware executable.
Earlier this week, MalwareHunterTeam shared a sample of what was believed to be a brand new MountLocker executable that incorporates a new worm feature that permits it to unfold and encrypt to different gadgets on the network. After installing the sample, BleepingComputer confirmed that it was a personalized pattern for the XingLocker workforce.
A brief evaluation by BleepingComputer showed that you could enable the worm feature by running the malware sample with the /NETWORK command-line argument. As this feature requires a Windows. After sharing the sample with Superior Intel CEO Vitali Kremez, it was found that MountLocker is now using the Home windows Lively Listing Service Interfaces API as a part of its worm characteristic.
"Many corporate environments rely on complex active directory forests and computer within then. Now MountLocker is the first known ransomware to leverage unique corporate architectural insight for the benefit of identifying additional t ..
Support the originator by clicking the read the rest link below.
