The Mount Locker ransomware has caused concern in recent campaigns with more sophisticated scripting & anti-prevention features, states researchers. This change in tactics appears to coincide with a rebranding for the malware into “Astro Locker.”
The ransomware is increasing its danger level with new features while rebranding to “Astro Locker.”
According to researchers, Mount Locker has been a fast-moving threat. Having just hit the ransomware-as-a-service world in the 2nd half of 2020, the group released a major update in Nov. that broadened its targeting capabilities (including searching for file extensions utilised by TurboTax tax-return software to encrypt). It also added improved detection evasion.
Attacks have continued to escalate, & now, another major update signals “an aggressive shift in Mount Locker’s tactics,” warns an analysis released Thurs. by Guide Point Security.
Like many ransomware gangs, the operators not only lock up files, but also steal data & threaten to leak it if the ransom isn’t paid, in a double-extortion gambit. They’re also known for demanding multi-million-dollar ransoms & stealing especially large amounts of data (up to 400Gb).
In terms of technical approach, Mount Locker uses off-the-shelf, legitimate tools to move laterally, steal files & deploy encryption, Guide Point noted. This includes the use of Ad Find & Bloodhound for Active Directory & user reconnaissance; FTP for file exfiltration; & the pen-testing tool Cobalt Strike for lateral movement and the delivery & execution of encryption, potentially through ps Exec.
Identified & Neutralised
“After the environment is mapped, backup systems are identified & neutralised, & data is harvested, systems are encrypted with target-specific ransomware delivered via the established command-&-control channels (C2),” observed Drew Schmitt, Senior Threat Intelligence Analyst for Guide Point, in the analysis.
“These payloads include executables, extensions & unique victim IDs for payment.”
More recent campaigns have worsened things with new batch scripts, researchers noted. These are designed to disable detection & prevention tools.
“This indicates that Mount Locker is increasing its capabilities & is becoming a more dangerous threat,” according to Schmitt. “These scripts were not just blanket steps to disable a large swath of tools, they were customised & targeted to the victim’s environment.”
A further change in tactics for this group involves using multiple Cobalt Strike servers with unique domains. It is an added step that helps with detection evasion, but Schmitt noted that it is not often seen because it requires much more management to use effectively.
The changes have been accompanied by an uptick in Mount Locker attacks, especially those taking aim at companies in the biological tech industry. Schmitt outlined there has been a surge in incidents in this segment, indicating that there may be a larger campaign around that aggressively targets healthcare-related industries.
“Biotech companies, in particular, are a prime target for ransomware because of their position in an industry flush not only with cash but also with highly sensitive IP,” Schmitt explained. “Additionally, connections to other research organizations increase the potential to damage the victim’s reputation in the industry & put business dealings at risk.”
Healthcare & biotech companies are also prime targets given that they stand to lose the most if operations are halted for too long or critical IP is lost, Schmitt pointed out. So, “attackers view them as more likely to pay the requested ransom quickly,” he explained.
All of this has happened as Mount Locker seems to be rebranding to Astro Locker. Schmitt pointed out that “the verbiage & victims listed on both variants’ shaming sites share significant overlap.” He added, “this could signal a shift in the group’s overall tactics & an effort to fully rebrand as a more insidious threat.”
Stagers & Beacons
Organisations can look for signs of Mount Locker or Astro Locker within their environments, such as Cobalt Strike stagers & beacons; & they should monitor for the staging & exfiltration of files via FTP.
“While these would always be cause for alarm…an updated, more aggressive Mount Locker & the dramatic increase in attacks attributable to the group make these indicators of compromise particularly alarming,” Schmitt concluded.