This new ransomware is growing in strength and could become a major threat, warn researchers

The group behind MountLocker ransomware are "clearly just warming up", say researchers.
Written by Danny Palmer, Senior Writer

Ransomware that demands millions of dollars from victims and is being updated with new features could become another serious threat to businesses.

MountLocker ransomware first emerged in July and encrypts the networks of victims with the attackers demanding bitcoin in exchange for the decryption key. Like other forms of ransomware, the criminal hackers behind it threaten to leak stolen information from the victim organisation if the bitcoin ransom isn't paid.

Cybersecurity researchers at BlackBerry have been analysing MountLocker and say that those behind it are "clearly just warming up" – and this family of ransomware could become a major threat going forward.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic) 

Researchers note that MountLocker takes advantage of an affiliate scheme in order to find victims, likely negotiating with hackers who've already compromised a network with malware in order to make the deployment of the ransomware as easy and widespread as possible – and providing a means for both parties to illicitly make money from the network compromise.

"Affiliates are often separate organised crime groups, who go looking for easy – and not so easy – entry into networks," Tom Bonner, distinguished threat researcher at Blackberry, told ZDNet.

"Once they have established a foothold they will begin negotiations with ransomware operators, usually via dark web channels, in order to obtain a ransomware to monetize the access to the victim's environment," he added.

While it's possible for hackers to breach the network using malware, it's common for outsiders to gain access to the network by breaching weak, commonly used or default passwords then escalate their privileges from there.

In this case, the MountLocker crew spread across the network with publicly available tools deploying ransomware across the network in as little as 24 hours. Once the command to execute the ransomware is initiated, victims find themselves locked out of their network and facing a seven-figure ransom demand.

Analysis of campaigns found that an updated version of MountLocker designed to make it even more efficient at encrypting files emerged last month, as well as updating the ability to evade detection by security software.

While MountLocker still appears to be in a relatively early stage of development, it's already proved effective by claiming victims around the world and it's likely to become more prolific as it evolves.

"Since its inception, the MountLocker group have been seen to both expand and improve their services and malware. While their current capabilities are not particularly advanced, we expect this group to continue developing and growing in prominence over the short term," says the research paper.

SEE: Ransomware victims aren't reporting attacks to police. That's causing a big problem

Like all forms of ransomware, MountLocker takes advantage of common security vulnerabilities in order to spread, so some of the best ways to protect against falling victim to it is to ensure that default passwords aren't used, two-factor authentication is applied and networks are updated with the latest security patches to counter known vulnerabilities.

It's also useful for organisations to have a plan in place, so that if they do fall victim to a ransomware attack, they're able to react accordingly.

"With the highly targeted and increasingly sophisticated nature of these attacks, it is highly advisable to have disaster recovery plans in place like secure backups and test to backups frequently," said Bonner.


Editorial standards