The Ransomware threat known as Mount Locker was recently involved in multiple hacking campaigns. The malware seems to have been enhanced with advanced scripts focused on anti-prevention allowing the virus to more effectively infiltrate the system. In addition to that, the virus has been rebranded and now goes under the “AstroLocker” name.
Researchers report that the Mount Locker threat is a rapidly evolving one. The virus became a ransomware-as-a-service threat back in the second half of last year and an update was released for it that improved its targeting by implementing the tax-return software known as TurboTax in order to help the malware search for specific file extensions in the machine. Another improvement made to the malware was enhanced detection-evasion to make it more difficult for users to spot the threat while it is operating in the system.
According to researchers, the malware in question is still evolving and its attack campaigns have only been escalating. The latest major update to the threat suggests that the creators of Mount Locker are about to start adopting more aggressive attack tactics.
Updates to Mount Locker Allow it to Evade Detection
It is a common practice for Ransomware hackers to not only lock the files of their victims but to also steal sensitive data from the attacked machine and threaten the user to leak said data if the requested ransom sum isn’t paid on time. This also applies to Mount Locker, as the threat oftentimes targets big companies and organizations, stealing significant amounts of data and requesting large ransom amounts (7-digit sums).
Mont Locker is known for employing legitimate apps and software tools in order to distribute laterally and steal and encrypt data in all computers connected to the attacked local network. Some of the tools used by Mount Locker are Bloodhound, AdFind, FTP, and CobaltStrike (a pen-testing utility).
Once the hackers map out the targeted environment and identify and neutralize the available backup systems, the data harvesting and encryption commences. The encryption is done through the use of target-specific ransomware scripts that are deployed with the help of previously-established C2 (command-and-control) channels according to the researchers at GuidePoint. The attack payload contains encryption extensions, executables, and unique user IDs that must be used for the payment.
The majority of the recent Mount Locker attack campaigns use new batch scripts that focus on hindering the detection of the threat from any security tools that the victim may have in place. According to the security analysis, this comes to show that Mount Locker is rapidly becoming a more serious and potent cyber threat. The detection-evasion scripts are not simply supposed to hide the threat from a wide variety of detection tools but are customized for the specific system, software, and environment of the targeted victim.
One other new tactic employed by the hackers is to use several CobaltStrike servers that have unique domains. This new step allows the threat to evade detection, but it isn’t implemented very commonly because it requires significantly more management in order to be effective.
Biotech and Healthcare Organizations Targeted by Mount Locker
The recent changes to Mount Locker occurred at the same time the attacks from this threat became more frequent. There has been a significant increase in the hacking attempts from this threat that target bio-tech companies. According to Drew Schmitt, senior threat intelligence analyst at GuidePoint, the surge of bio-tech company attacks using the Mount Locker threat indicate that there could be an undergoing campaign of a larger scale that focuses on the industries adjacent to the health-care sector.
According to Schmitt, one of the main reasons why the health-care sector is a common target for hackers is because it operates with both lots of money and highly-sensitive information. To add to that, the connections between health-care and other large research organizations significantly increases the danger posed to the reputation of the targeted victim should the stolen data be leaked by the hackers.
Another factor that needs to be considered is that health-care and biotech companies could lose lots of resources and reputation if their operations are kept on hold for long due to a Ransomware infiltration. Because of that, the likelihood of victims from those sectors paying the ransom outright in order to not waste time is high.
It seems that the criminal actors have taken all of these factors into account and are currently working towards rebranding Mount Locker to AstroLocker, making this Ransomware a more significant threat that would be targeted at higher-profile victims from those two sectors.
The researchers at Guide Point advise organizations to keep an eye out for signs of the Mount Locker/AstroLocker threat, within their environments. A common signs, for instance, are stagers and beacons from CobaltStrike. Also, the organizations’ IT security teams should monitor their environments for file exfiltration and staging via FTP.
In conclusion, while such symptoms are always alarming, the recent changes to Mount Locker combined with the increase in the frequency of attacks performed by it should make you extra alert if you notice organizations notice any such suspicious activity in their environments.