Companies worldwide are reported to have failed victims of the recent ransomware attack by Mount Locker. The new ongoing ransomware attack targets corporate networks and demands millions of dollars ransom payment is Bitcoins, and the hackers utter threats to reveal the encrypted data publicly if the victims refuse to pay ransom.
Mount Locker ransomware activity
The Mount Locker ransomware was first noticed in the wild at the end of July 2020. The Trojan gets into the victim system with a malicious file delivered as a spam attachment or comes alongside downloaded freeware. Since this ransomware came into the researchers’ notice, the hackers have attacked and encrypted files of several affected companies and published their information on the site supervised by the ransomware operator. Researchers assume that the ransom amount may vary per victim depending on the value of the compromised information.
The encrypted files have the extension “.ReadManual.ID.” followed by a unique ID that loads the ransom information file on click. The uploaded RecoveryManual file contains instructions for the ransomware victims on further communications with hackers to decrypt the files. The attackers warn that any attempts to modify the encrypted file including restoring them will corrupt data. Hackers supporting the Mount Locker caution the ransomware victims that not following the instruction will lead to reputational damages as the compromised sensitive information will be leaked to publicly available resources.
Mount Locker attack detection
Ransomware attacks awareness and prevention has already become an inevitable part of corporate security culture. Personnel is instructed to avoid weak accounts passwords and to evaluate email-based content to narrow down phishing attacks effects.
Leveraging exclusive threat detection rule by Osman Demir, the Threat Bounty Program content developer, enables spotting the Mount Locker ransomware
The Mount Locker ransomware detection rule is available for the following platforms:
SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, LogPoint, Humio
EDR: Carbon Black, Elastic Endpoint
Techniques: Data Encrypted for Impact (T1486)