Mount Locker Ransomware

Companies worldwide are reported to have failed victims of the recent ransomware attack by Mount Locker. The new ongoing ransomware attack targets corporate networks and demands millions of dollars ransom payment is Bitcoins, and the hackers utter threats to reveal the encrypted data publicly if the victims refuse to pay ransom.

Mount Locker ransomware activity

The Mount Locker ransomware was first noticed in the wild at the end of July 2020. The Trojan gets into the victim system with a malicious file delivered as a spam attachment or comes alongside downloaded freeware. Since this ransomware came into the researchers’ notice, the hackers have attacked and encrypted files of several affected companies and published their information on the site supervised by the ransomware operator. Researchers assume that the ransom amount may vary per victim depending on the value of the compromised information.

The encrypted files have the extension “.ReadManual.ID.” followed by a unique ID that loads the ransom information file on click. The uploaded RecoveryManual file contains instructions for the ransomware victims on further communications with hackers to decrypt the files. The attackers warn that any attempts to modify the encrypted file including restoring them will corrupt data. Hackers supporting the Mount Locker caution the ransomware victims that not following the instruction will lead to reputational damages as the compromised sensitive information will be leaked to publicly available resources.

Mount Locker attack detection

Ransomware attacks awareness and prevention has already become an inevitable part of corporate security culture. Personnel is instructed to avoid weak accounts passwords and to evaluate email-based content to narrow down phishing attacks effects.

Leveraging exclusive threat detection rule by Osman Demir, the Threat Bounty Program content developer, enables spotting the Mount Locker ransomware

https://tdm.socprime.com/tdm/info/lcDnMHyHuZ5f/spy503QBSh4W_EKGF5O7/?p=1

The Mount Locker ransomware detection rule is available for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, LogPoint, Humio

EDR: Carbon Black, Elastic Endpoint

MITRE ATT&CK: 

Tactics: Impact

Techniques: Data Encrypted for Impact (T1486)


Ready to try out SOC Prime TDM? Sign up for free. Or join Threat Bounty Program to craft your own content and share it with the TDM community