New Ransomware MountLocker Uses Extortion and Data Exfiltration

Security researchers have identified a new piece of ransomware named MountLocker specializing in infection and data exfiltration, following the trend set in 2020 by similar threats.

MountLocker is distributed on a ransomware-as-a-Service (RaaS) model, which means its makers don’t use it themselves to attack organizations. In 2020, the ransomware threat has evolved into a new beast, moving from just encrypting systems to more complex procedures that involve stealing data and blackmail.

Another infamous example of similar ransomware is Maze, a group that claims to have shut down the service. Some of their more famous targets include SpaceX and Cognizant. It’s difficult to tell if the Maze operators actually stopped, or are rebranding under a different name.

On the other hand, the MountLocker ransomware is newer, and is still under development. It received a significant update in November as the operators try to evade cybersecurity tools. The ransomware encrypts the victims’ files using ChaCha20, and the file encryption keys are encrypted using RSA-2048.

“The ransomware appears to be somewhat secure; there are no trivial weaknesses allowing for easy key recovery and decryption of data,” says the security researchers from BlackBerry Incident Response Team. “MountLocker does however, use a cryptographically insecure method for key generation that may be prone to attack.”

Like Maze, the MountLocker ransomware uses the FTP protocol to steal data, allowing attackers to blackmail their victims, in addition to demanding payment for the decryption key. The blackmail is a direct response to the use of backup tools and cyber insurance.

“Since its inception, the MountLocker group have been seen to both expand and improve their services and malware,” the researchers also said.