Mount Locker Ransomware

Author
Recent Posts

Eugene Tkachenko

Latest posts by Eugene Tkachenko (see all)

LAPSUS$ Digital Extortion Gang Claims Microsoft’s Data Leak: Breach Affected Okta Customers - 23.03.2022
NIGHT SPIDER Zloader Detection: Defend Against Malicious Trojan Activity with SOC Prime - 17.03.2022
Detect Emotet Activity: Infamous Malware Resurfaced to Target Systems Worldwide - 16.03.2022

WRITTEN BY

Eugene Tkachenko

[post-views]

September 30, 2020 · 2 min read

CONTENT:

Companies worldwide are reported to have failed victims of the recent ransomware attack by Mount Locker. The new ongoing ransomware attack targets corporate networks and demands millions of dollars ransom payment is Bitcoins, and the hackers utter threats to reveal the encrypted data publicly if the victims refuse to pay ransom.

Mount Locker ransomware activity

The Mount Locker ransomware was first noticed in the wild at the end of July 2020. The Trojan gets into the victim system with a malicious file delivered as a spam attachment or comes alongside downloaded freeware. Since this ransomware came into the researchers’ notice, the hackers have attacked and encrypted files of several affected companies and published their information on the site supervised by the ransomware operator. Researchers assume that the ransom amount may vary per victim depending on the value of the compromised information.

The encrypted files have the extension “.ReadManual.ID.” followed by a unique ID that loads the ransom information file on click. The uploaded RecoveryManual file contains instructions for the ransomware victims on further communications with hackers to decrypt the files. The attackers warn that any attempts to modify the encrypted file including restoring them will corrupt data. Hackers supporting the Mount Locker caution the ransomware victims that not following the instruction will lead to reputational damages as the compromised sensitive information will be leaked to publicly available resources.

Mount Locker attack detection

Ransomware attacks awareness and prevention has already become an inevitable part of corporate security culture. Personnel is instructed to avoid weak accounts passwords and to evaluate email-based content to narrow down phishing attacks effects.

Leveraging exclusive threat detection rule by Osman Demir, the Threat Bounty Program content developer, enables spotting the Mount Locker ransomware

https://tdm.socprime.com/tdm/info/lcDnMHyHuZ5f/spy503QBSh4W_EKGF5O7/?p=1

The Mount Locker ransomware detection rule is available for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, LogPoint, Humio

EDR: Carbon Black, Elastic Endpoint

MITRE ATT&CK:

Tactics: Impact

Techniques: Data Encrypted for Impact (T1486)

Ready to try out SOC Prime TDM? Sign up for free. Or join Threat Bounty Program to craft your own content and share it with the TDM community

Was this article helpful?

Like and share it with your peers.

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free Book a Meeting

Blog, Latest Threats — 3 min read

Ferrari Data Breach Disclosed: Attackers Gain Access to the Company’s Network While Demanding Ransom to Prevent Data Leakage

Veronika Telychko

News — 3 min read

SOC Prime Threat Bounty — February 2023 Results

Alla Yurchenko

Blog, Latest Threats — 4 min read

Detect CVE-2023-23397 Exploits: Critical Elevation of Privilege Vulnerability in Microsoft Outlook Leveraged in the Wild to Target European Government and Military