On Monday, Security researcher MalwareHunterTeam mentioned on Twitter that the MountLocker ransomware was being updated and has recently added a worm feature to spread through corporate networks. Vitali Kremez of Advanced Intel later detailed this, showing that the ransomware now made use of the Active Directory Service Interfaces (ADSI) API to query the domain controller for computer objects within the domain. For each computer found, MountLocker attempts to copy itself to that machine’s “C:ProgramData” directory, remotely create a new service and execute. Two other groups are currently known to use custom versions of MountLocker: Astro Locker and XingLocker. When reached out to by Bleeping Computer, the Astro Locker team said, “It’s not a rebranding, probably we can define it as an alliance.”
Analyst Notes
The new worm functionality used by MountLocker currently requires a command line argument (/NETWORK) to be passed at the time of launch along with credentials for authenticating to the domain, though this does not make it any less dangerous. Binary Defense highly recommends reading and implementing steps from the CISA (Cybersecurity & Infrastructure Agency) and NCSC (National Cyber Security Centre) ransomware guides. These guides contain detailed information that any organization can use, describing in detail how to backup and protect data, create incident response plans and more. Binary Defense also recommends utilizing Threat Hunting services or a 24/7 SOC such as our own Security Operations Task Force to quickly find and react to threats on your network before they have a chance to spread.
