The Mount Locker gang is taking an unusual approach to extort affected victims as the year comes to a close and tax season approaches. While the gang is relatively new to the scene (first reported in July of 2020), they have quickly gained the reputation of high ransom prices and exfiltrating upwards of 400GB of data to hold as a secondary ransom and incentive for victims to pay quickly. Lawrence Abrams at Bleeping Computer reported that Advanced Intel’s Vitali Kremez and MalwareHunterTeam have noticed that the ransomware used by Mount Locker is searching for file extensions utilized by TurboTax tax return software and looking for specific years to encrypt. The new targeting of TurboTax data files may be an attempt to pull greater leverage and entice victims to pay for access to their own tax records before they have to file.
Detecting Backdoor Attacks By Sean Fernandez | Threat Researcher | Binary Defense In part 3