The Mount Locker gang is taking an unusual approach to extort affected victims as the year comes to a close and tax season approaches. While the gang is relatively new to the scene (first reported in July of 2020), they have quickly gained the reputation of high ransom prices and exfiltrating upwards of 400GB of data to hold as a secondary ransom and incentive for victims to pay quickly. Lawrence Abrams at Bleeping Computer reported that Advanced Intel’s Vitali Kremez and MalwareHunterTeam have noticed that the ransomware used by Mount Locker is searching for file extensions utilized by TurboTax tax return software and looking for specific years to encrypt. The new targeting of TurboTax data files may be an attempt to pull greater leverage and entice victims to pay for access to their own tax records before they have to file.
This change is likely not the last innovation from Mount Locker as the gang seeks to differentiate itself from other ransomware varieties and increase its illicity profits. An easy way to help mitigate if ransomware targets accounting data is to have a backup procedure and plan to restore the encrypted data. After ensuring backups are in place, another strategy is to place decoy TurboTax files in locations where attackers might look for them but otherwise will not be used by authorized users and then add file access auditing to alert security analysts whenever those files are modified. Although that won’t prevent files in one location from being encrypted, it will give defenders a chance to respond to an attack in progress and stop further damage. Understanding the volume of data that could leave a corporate environment can help detect when mass data exfiltration occurs, but only if security analysts are on duty to observe and respond to the warning signs of an attack. With all that in mind, having secure data stores utilizing multi-factor authentication (MFA) and applying attack surface reduction rules can often be the most effective in preventing these kinds of attacks. Understanding where and how business critical data is stored, and then limiting access to the data and the network segment where it resides, can go a long way in preventing attacks such as these.
1⃣Detailed Speed Stats Metrics
*Crypt Avg:t%0.3f MB/s
2⃣'All your important documents have been encrypted and transferred to our premises!
3⃣Targets tax return created by tax filing programs (.tax* ext)
— Vitali Kremez (@VK_Intel) November 19, 2020